A vulnerability was identified in GPAC up to b40ce70f5. This issue affects the function sgpd_del_entry of the file src/isomedia/box_code_base.c of the component MP4Box. Such manipulation of the argument data leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is f29f955f2a3b5e8e507caad3e52319f961bf37bf. It is advisable to implement a patch to correct this issue.
Security readout for executives and security teams
Plain-English summary
GPAC's MP4Box tool has a memory-handling flaw that can crash the program or, in some cases, allow an attacker with local access to influence what code runs. It only triggers when a user processes a malicious media file locally, so risk to most businesses is limited unless MP4Box is embedded in media workflows.
Executive priority
Schedule a routine patch cycle. Priority rises to elevated only if MP4Box is exposed to untrusted media or embedded in production ingestion. No emergency response is warranted based on current evidence.
Technical view
A heap-based buffer overflow (CWE-122, CWE-119) exists in sgpd_del_entry within src/isomedia/box_code_base.c of GPAC up through commit b40ce70f5. Manipulation of the data argument corrupts heap memory. CVSS 4.0 is 4.8 (AV:L/AC:L/PR:L/UI:N/VA:L, E:P) reflecting local access, low privileges, and availability impact. Upstream patch f29f955f2a3b5e8e507caad3e52319f961bf37bf resolves it.
Likely exposure
Exposure is limited to systems running GPAC/MP4Box for media conversion, streaming preparation, or analysis. Common in video pipelines, research environments, and desktop media utilities. Not KEV-listed. Servers that ingest untrusted MP4 files through MP4Box or wrappers around it are the primary concern.
Exploitation context
A public proof-of-concept is referenced in the source bundle, and VulDB marks the exploit as publicly available. No CISA KEV entry and no confirmed in-the-wild abuse reported. CVSS vector requires local access and low privileges, with impact limited to availability, indicating denial-of-service is the most credible outcome today.
Researcher notes
Sink is sgpd_del_entry in src/isomedia/box_code_base.c; review the patch diff at commit f29f955f2a3b5e8e507caad3e52319f961bf37bf to understand the entry cleanup logic and any related sample group description handling. PoC is hosted in TimChan2001/pocs. Confirm downstream forks and packaged distributions (e.g., distro repos) have picked up the fix, as GPAC is frequently vendored.
Mitigation direction
Upgrade GPAC to a build that includes commit f29f955f2a3b5e8e507caad3e52319f961bf37bf.
Restrict MP4Box execution to trusted users and vetted input files.
Sandbox MP4Box processing (containers, seccomp, or non-privileged service accounts).
Remove or disable GPAC on systems that do not require it.
Monitor GPAC GitHub issue 3398 and vendor releases for further guidance.
Validation and detection
Inventory hosts running GPAC/MP4Box and record the built commit or version.
Compare installed commit against b40ce70f5 and confirm the patch commit is present.
Test MP4Box parsing against known-good samples after upgrade to confirm stability.
Review pipelines that pass user-supplied media into MP4Box for input validation gaps.
Check endpoint logs for MP4Box crashes or unexpected terminations tied to media processing.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-119: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-119 · source CWE mapping
Improper Restriction of Operations within the Bounds of a Memory Buffer
Improper Restriction of Operations within the Bounds of a Memory Buffer represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Heap-based Buffer Overflow represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.