Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-15668

CVE-2025-15668: GPAC MP4Box Buffer Overflow Vulnerability

CVE-2025-15668 is a heap-based buffer overflow flaw in GPAC MP4Box that affects the sgpd_del_entry function. Attackers with local access can exploit this vulnerability. This article covers technical details, impact, and patches.

Published:

CVE-2025-15668 Overview

CVE-2025-15668 is a heap-based buffer overflow vulnerability [CWE-119] in GPAC, an open-source multimedia framework, affecting versions up to commit b40ce70f5. The flaw resides in the sgpd_del_entry function within src/isomedia/box_code_base.c, part of the MP4Box component. Manipulation of the data argument triggers memory corruption on the heap. Exploitation requires local access to the target system. A public proof-of-concept exists, and the maintainers have released patch commit f29f955f2a3b5e8e507caad3e52319f961bf37bf to correct the issue.

Critical Impact

A local attacker supplying a crafted MP4 file can trigger a heap-based buffer overflow in MP4Box, potentially causing process crashes or memory corruption during multimedia processing.

Affected Products

  • GPAC multimedia framework up to commit b40ce70f5
  • GPAC MP4Box utility
  • Applications embedding vulnerable versions of the GPAC isomedia library

Discovery Timeline

  • 2026-07-06 - CVE-2025-15668 published to NVD
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2025-15668

Vulnerability Analysis

The vulnerability is a heap-based buffer overflow [CWE-119] located in the sgpd_del_entry function in src/isomedia/box_code_base.c. MP4Box is the container manipulation tool distributed with GPAC and is commonly used to inspect, package, and repackage ISO Base Media File Format (ISOBMFF) content.

The sgpd box handles sample group description entries within an MP4 container. When cleanup logic frees or iterates entries associated with specific grouping types, unhandled entry types can cause the code to release memory incorrectly, leading to heap corruption. The public patch adds handling for the GF_ISOM_SAMPLE_GROUP_AV1S grouping type so the entry is freed through the correct path.

Root Cause

The root cause is missing case handling in the sample group description entry deletion routine. Certain grouping type identifiers, including AV1S, were not routed to the generic gf_free(entry) cleanup path. This mismatch between allocation and deallocation logic allowed adjacent heap memory to be corrupted when specially crafted sgpd entries were processed by MP4Box.

Attack Vector

Exploitation requires local access and low privileges. An attacker crafts a malicious MP4 file containing malformed sample group description entries and induces a local user or automated process to invoke MP4Box against it. A public proof-of-concept file is available in the referenced GitHub repository, demonstrating the crash condition against MP4Box.

c
// Security patch in src/isomedia/box_code_base.c
// Adds AV1S grouping type to the generic free path to prevent heap corruption
	case GF_ISOM_SAMPLE_GROUP_RAP:
	case GF_ISOM_SAMPLE_GROUP_TELE:
	case GF_ISOM_SAMPLE_GROUP_SAP:
+	case GF_ISOM_SAMPLE_GROUP_AV1S:
		gf_free(entry);
		return;
	case GF_ISOM_SAMPLE_GROUP_SEIG:

Source: GitHub Commit f29f955

Detection Methods for CVE-2025-15668

Indicators of Compromise

  • Unexpected MP4Box process crashes or abnormal terminations when parsing user-supplied MP4 files.
  • Heap corruption reports from sanitizers (ASan) or crash dumps referencing sgpd_del_entry in box_code_base.c.
  • Presence of MP4 files containing malformed or unusual sample group description (sgpd) boxes.

Detection Strategies

  • Monitor invocations of MP4Box and related GPAC binaries in build pipelines, media processing servers, and end-user workstations.
  • Deploy binary version checks to identify GPAC installations older than commit f29f955f2a3b5e8e507caad3e52319f961bf37bf.
  • Compare hashes of MP4 files processed by media services against known-good sources when feasible.

Monitoring Recommendations

  • Alert on segmentation faults and SIGABRT signals originating from MP4Box or processes linking libgpac.
  • Log file paths and originating users for every MP4Box execution to identify suspicious inputs.
  • Track outbound behavior of media processing hosts for signs of chained post-exploitation activity.

How to Mitigate CVE-2025-15668

Immediate Actions Required

  • Update GPAC to a build that includes commit f29f955f2a3b5e8e507caad3e52319f961bf37bf or later.
  • Restrict use of MP4Box to trusted input sources and prevent untrusted users from supplying MP4 files to automated pipelines.
  • Audit media processing servers and developer workstations for vulnerable GPAC versions up to b40ce70f5.

Patch Information

The upstream fix is available in the GPAC project as commit f29f955f2a3b5e8e507caad3e52319f961bf37bf, referenced in GitHub Issue #3398 and the GPAC project repository. Rebuild GPAC from source at or beyond this commit, or install a vendor-provided package that incorporates the fix.

Workarounds

  • Run MP4Box inside a sandbox or container with restricted filesystem and privilege access to contain any successful exploitation.
  • Disable or remove MP4Box on systems where it is not required for business operations.
  • Reject MP4 files from untrusted sources at ingest boundaries until patched binaries are deployed.
bash
# Verify GPAC version and rebuild from a patched commit
MP4Box -version

git clone https://github.com/gpac/gpac.git
cd gpac
git checkout f29f955f2a3b5e8e507caad3e52319f961bf37bf
./configure && make && sudo make install

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.