CVE-2025-70116 Overview
CVE-2025-70116 is a NULL pointer dereference vulnerability in GPAC MP4Box, the multimedia packaging tool from the GPAC open-source framework. The flaw exists in the gf_media_map_esd function within media_tools/isom_tools.c. When MP4Box parses a truncated MP4 file containing an unknown or invalid stsd (Sample Description Box) entry, descriptor fields such as codec, MIME, or profile strings remain unset. The function then invokes strlen() on a NULL pointer, producing a segmentation fault detected by AddressSanitizer (ASan SEGV). The issue affects users and automated pipelines that process untrusted MP4 input through MP4Box.
Critical Impact
Processing a crafted or truncated MP4 file crashes MP4Box, enabling denial-of-service against media conversion, transcoding, and analysis workflows.
Affected Products
- GPAC MP4Box (multimedia packaging utility)
- GPAC framework media_tools/isom_tools.c component
- Downstream tools and services that embed GPAC libraries for MP4 parsing
Discovery Timeline
- 2026-05-27 - CVE-2025-70116 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2025-70116
Vulnerability Analysis
The vulnerability is a NULL pointer dereference [CWE-476] inside gf_media_map_esd at approximately line 1364 of media_tools/isom_tools.c. MP4Box reads the Sample Description Box (stsd) to determine how to construct an Elementary Stream Descriptor (ESD) for each track. When MP4Box encounters an stsd entry with an unknown or malformed sample entry type, the parser does not populate descriptor string fields such as the codec identifier, MIME type, or profile string. These fields remain NULL when control reaches the descriptor mapping logic. The function then passes one of these NULL pointers directly to strlen(), which dereferences the pointer to scan for a terminating byte and triggers an immediate segmentation fault.
Root Cause
The root cause is missing validation between the stsd parsing stage and the descriptor mapping stage. The code assumes that every successfully parsed sample entry yields populated descriptor strings. Truncated files terminate parsing early without producing an error that prevents the subsequent call into gf_media_map_esd. No NULL check guards the strlen() invocation.
Attack Vector
An attacker delivers a crafted or intentionally truncated MP4 file to a victim or service that processes it with MP4Box. Triggering the bug requires only that the file be opened and inspected. The result is a process crash. There is no evidence in the referenced material of memory disclosure or code execution. The vulnerability manifests as a reliable denial-of-service against MP4Box and any service that wraps it.
No verified exploitation code is available. See the GPAC GitHub Issue #3345 and the public proof-of-concept artifact for the trigger file and crash trace.
Detection Methods for CVE-2025-70116
Indicators of Compromise
- MP4Box process termination with SIGSEGV when invoked against a user-supplied or network-sourced MP4 file.
- AddressSanitizer reports referencing gf_media_map_esd and strlen within media_tools/isom_tools.c.
- Repeated crashes of media conversion or transcoding workers shortly after ingesting an untrusted MP4.
Detection Strategies
- Monitor host telemetry for unexpected MP4Box or GPAC library crash events and core dumps.
- Inspect ingestion queues for MP4 files with truncated structures or malformed stsd boxes prior to processing.
- Correlate media-processing service restarts with the filenames and sources of recently submitted MP4 inputs.
Monitoring Recommendations
- Enable verbose GPAC logging during MP4 ingestion to capture parser warnings about unknown sample entry types.
- Track resource and stability metrics for sandboxed media workers to surface repeated crash patterns.
- Alert when crash signatures contain the symbol gf_media_map_esd in stack traces.
How to Mitigate CVE-2025-70116
Immediate Actions Required
- Restrict MP4Box execution to sandboxed or containerized workers that can recover from crashes without service disruption.
- Validate MP4 file structure with an independent parser before passing input to MP4Box.
- Reject or quarantine MP4 uploads that fail structural integrity checks, including truncated moov or stsd atoms.
Patch Information
No official patched version is referenced in the available data. Track the upstream fix through GPAC GitHub Issue #3345 and apply the corresponding commit to the master branch once merged. Rebuild GPAC from source after pulling the fix and verify with the proof-of-concept file from the public PoC repository.
Workarounds
- Disable automated MP4Box processing of files from untrusted sources until a patched build is deployed.
- Wrap MP4Box invocations with process supervisors that constrain CPU, memory, and filesystem access, limiting blast radius from crashes.
- Pre-screen inputs with a hardened MP4 validator and discard files containing unknown sample entry types in stsd.
# Configuration example: run MP4Box under a constrained, restartable sandbox
systemd-run --scope --uid=mp4box --property=MemoryMax=512M \
--property=RestrictSUIDSGID=yes --property=NoNewPrivileges=yes \
/usr/bin/MP4Box -info /var/ingest/untrusted_input.mp4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
