LiveActive security incident?Get immediate response
CVE Record

CVE-2025-15668: GPAC MP4Box box_code_base.c sgpd_del_entry heap-based overflow

A vulnerability was identified in GPAC up to b40ce70f5. This issue affects the function sgpd_del_entry of the file src/isomedia/box_code_base.c of the component MP4Box. Such manipulation of the argument data leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is f29f955f2a3b5e8e507caad3e52319f961bf37bf. It is advisable to implement a patch to correct this issue.

MediumCVSS 4.8Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

GPAC's MP4Box tool has a memory-handling flaw that can crash the program or, in some cases, allow an attacker with local access to influence what code runs. It only triggers when a user processes a malicious media file locally, so risk to most businesses is limited unless MP4Box is embedded in media workflows.

Executive priority

Schedule a routine patch cycle. Priority rises to elevated only if MP4Box is exposed to untrusted media or embedded in production ingestion. No emergency response is warranted based on current evidence.

Technical view

A heap-based buffer overflow (CWE-122, CWE-119) exists in sgpd_del_entry within src/isomedia/box_code_base.c of GPAC up through commit b40ce70f5. Manipulation of the data argument corrupts heap memory. CVSS 4.0 is 4.8 (AV:L/AC:L/PR:L/UI:N/VA:L, E:P) reflecting local access, low privileges, and availability impact. Upstream patch f29f955f2a3b5e8e507caad3e52319f961bf37bf resolves it.

Likely exposure

Exposure is limited to systems running GPAC/MP4Box for media conversion, streaming preparation, or analysis. Common in video pipelines, research environments, and desktop media utilities. Not KEV-listed. Servers that ingest untrusted MP4 files through MP4Box or wrappers around it are the primary concern.

Exploitation context

A public proof-of-concept is referenced in the source bundle, and VulDB marks the exploit as publicly available. No CISA KEV entry and no confirmed in-the-wild abuse reported. CVSS vector requires local access and low privileges, with impact limited to availability, indicating denial-of-service is the most credible outcome today.

Researcher notes

Sink is sgpd_del_entry in src/isomedia/box_code_base.c; review the patch diff at commit f29f955f2a3b5e8e507caad3e52319f961bf37bf to understand the entry cleanup logic and any related sample group description handling. PoC is hosted in TimChan2001/pocs. Confirm downstream forks and packaged distributions (e.g., distro repos) have picked up the fix, as GPAC is frequently vendored.

Mitigation direction

  • Upgrade GPAC to a build that includes commit f29f955f2a3b5e8e507caad3e52319f961bf37bf.
  • Restrict MP4Box execution to trusted users and vetted input files.
  • Sandbox MP4Box processing (containers, seccomp, or non-privileged service accounts).
  • Remove or disable GPAC on systems that do not require it.
  • Monitor GPAC GitHub issue 3398 and vendor releases for further guidance.

Validation and detection

  • Inventory hosts running GPAC/MP4Box and record the built commit or version.
  • Compare installed commit against b40ce70f5 and confirm the patch commit is present.
  • Test MP4Box parsing against known-good samples after upgrade to confirm stability.
  • Review pipelines that pass user-supplied media into MP4Box for input validation gaps.
  • Check endpoint logs for MP4Box crashes or unexpected terminations tied to media processing.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-119: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · low confidence lookup

CWE-122: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-15668 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
4.8 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

4CVSS vectors
6Timeline events
1ADP providers
9Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: partial

CVSS vector scores

4 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
4.8CVSS 4.0MediumCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:PVulDB
3.3CVSS 3.1LowCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C1.81.4VulDB
3.3CVSS 3.0LowCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C1.81.4VulDB
1.7CVSS 2.0LowAV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C3.12.9VulDB

Vulnerability scoring details

Base CVSS 4.0 score

4.8Medium
CVSS 4.0 vector shape for CVE-2025-15668Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. Source timelineVulDB

    Advisory disclosed

  2. Source timelineVulDB

    VulDB entry created

  3. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  4. Source timelineVulDB

    VulDB entry last update

  5. CVE publishedCVE Program

    The CVE record was published.

  6. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/aGPACb40ce70f5Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-119 · source CWE mapping

Improper Restriction of Operations within the Bounds of a Memory Buffer

Improper Restriction of Operations within the Bounds of a Memory Buffer represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

CWE-122 · source CWE mapping

Heap-based Buffer Overflow

Heap-based Buffer Overflow represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.