CVE-2025-70116

MEDIUM

GPAC MP4Box - Denial of Service via Truncated MP4 File Parsing

Title source: llm
STIX 2.1

Description

A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV).

References (4)

Core 4

Scores

CVSS v3 4.3
EPSS 0.0030
EPSS Percentile 21.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-476
Status published
Published May 27, 2026
Tracked Since May 27, 2026