These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-50810 is a NULL pointer dereference vulnerability in smooth_parse_stream_index() in src/media_tools/mpd.c in GPAC master HEAD before commit b35c61f104b85fbb16520ac2838d5d2ef70845b5. This vulnerability allows attackers to cause a denial of service. The vulnerability is due to a NULL pointer being dereferenced in the smooth_parse_stream_index() function. Users of GPAC master HEAD before commit b35c [truncated]
CVE-2025-60465 is a use-after-free vulnerability in the gf_filter_pid_inst_swap function of GPAC Project/MP4Box before 26.02.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file. The vulnerability has a CVSS score of 6.1 and a severity of MEDIUM. The CVE was published on 2026-06-25T20:17:08.673Z and last modified on 2026-06-30T19:03:42.293Z. The vend [truncated]
CVE-2025-60473 is a MEDIUM severity vulnerability in GPAC Project MP4Box before 26.02.0. A NULL pointer dereference in the gf_filter_in_parent_chain function allows attackers to cause a Denial of Service (DoS) via supplying a crafted file. The vulnerability was published on June 25, 2026, and last modified on June 29, 2026. The Common Vulnerability Scoring System (CVSS) score is 5.5. This vulnerability is [truncated]
CVE-2025-60471 is a use-after-free vulnerability in the gf_filter_pid_reconfigure_task_discard function of GPAC Project/MP4Box before 26.02.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file. The vulnerability has a CVSS score of 5.5 and a severity of MEDIUM. The CVE was published on 2026-06-24T19:17:07.920Z and last modified on 2026-06-29T23:14:24 [truncated]
A stack overflow vulnerability was discovered in GPAC MP4Box v2.4, specifically in the gf_opus_read_length function located in media_tools/av_parsers.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by supplying a crafted MP4 file. The vulnerability has a CVSS score of 5.5 and a severity rating of MEDIUM.
A heap buffer overflow vulnerability was discovered in the gf_isom_vp_config_new function (isomedia/avc_ext.c) of GPAC MP4Box v2.4. This vulnerability, tracked as CVE-2025-55652, allows attackers to cause a Denial of Service (DoS) by supplying a crafted MP4 file. The vulnerability has a CVSS score of 5.5 and a severity rating of MEDIUM.
CVE-2025-55650 is a medium-severity vulnerability in GPAC MP4Box v2.4. A heap use-after-free in the gf_node_get_tag function (scenegraph/base_scenegraph.c) allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. The CVSS score for this vulnerability is 5.5.
CVE-2025-55649 is a medium-severity vulnerability in GPAC MP4Box v2.4. A NULL pointer dereference in the gf_media_map_esd function (media_tools/isom_tools.c) allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. The CVSS score for this vulnerability is 5.5.
A heap buffer overflow vulnerability was discovered in the gf_opus_parse_packet_header function (media_tools/av_parsers.c) of GPAC MP4Box v2.4. This vulnerability, tracked as CVE-2025-55648, allows attackers to cause a Denial of Service (DoS) by supplying a crafted MP4 file. The vulnerability has a CVSS score of 5.5 and a severity rating of MEDIUM.
CVE-2025-55644 is a medium-severity vulnerability in GPAC MP4Box v2.4. A heap use-after-free in the gf_node_get_tag function (scenegraph/base_scenegraph.c) allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. The CVSS score for this vulnerability is 5.5.
CVE-2025-55643 is a medium-severity vulnerability in GPAC MP4Box v2.4. A NULL pointer dereference in the TrackWriter handling component (filters/mux_isom.c) allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. The vulnerability has a CVSS score of 5.5 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2025-55643).
A floating point exception was discovered in GPAC MP4Box v2.4 in the avidmx_process function (isomedia/isom_write.c). This vulnerability has a CVSS score of 6.5 and a severity of MEDIUM.
CVE-2025-55657 is a HIGH severity vulnerability in GPAC MP4Box v2.4. A NULL pointer dereference in the gf_odf_vvc_cfg_write_bs function (odf/descriptors.c) allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. The vulnerability has a CVSS score of 7.5 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2025-55657).
CVE-2025-55651 is a medium-severity vulnerability in GPAC MP4Box v2.4. A NULL pointer dereference in the gf_isom_get_user_data_count function (isomedia/isom_read.c) allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. The vulnerability has a CVSS score of 5.5 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2025-55651).
A heap use-after-free vulnerability exists in the `dasher_process` function within `/filters/dasher.c` of GPAC Project/MP4Box before version 26.02.0. The flaw can be triggered when a crafted MPEG-2 file is processed, leading to a Denial of Service (DoS) condition. The vulnerability was addressed in a commit to the GPAC repository. A public issue report and proof-of-concept materials are available.
A heap buffer overflow vulnerability exists in the m2tsdmx_send_packet function within filters/dmx_m2ts.c in GPAC MP4Box v2.4. The flaw can be triggered when processing a crafted MP4 file, leading to a Denial of Service (DoS) condition. The vulnerability was addressed in a commit to the GPAC repository.
A NULL pointer dereference vulnerability exists in GPAC MP4Box when parsing malformed MP4 files. The issue occurs in `gf_media_map_esd` within the media tools ISOM utilities, where an unknown or invalid `stsd` (sample description) entry can result in missing descriptor fields—specifically codec, MIME type, or profile strings. When these fields are absent, the function subsequently calls `strlen()` on a NU [truncated]
A memory leak vulnerability exists in GPAC up to version 2.4.0, specifically within the Media_GetSample function in src/isomedia/media.c. The vulnerability is triggered through manipulation of the 'cat' argument when processing MP4 files via the MP4Box component. This issue results in memory leak (CWE-401/CWE-404) with availability impact. The attack vector is local, requiring low privileges but no user i [truncated]
A null pointer dereference vulnerability exists in GPAC up to version 2.4.0, specifically within the MergeFragment function in src/isomedia/isom_intern.c. The issue affects the MP4Box component and can be triggered through local manipulation. The vulnerability has been assigned a CVSS 4.0 score of 1.9 (LOW severity) with an attack vector of local access, low attack complexity, and low availability impact. [truncated]