GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gfisomaddtrackkind() function at isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/55xxx/CVE-2025-55639.json",
"cna_assigner": "mitre"
}{
"source": [
"CPE_RANGE",
"REFERENCES"
],
"cpe": "cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "26.02.0"
}
]
}"2026-07-09T18:18:32Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55639.json"
[
{
"id": "CVE-2025-55639-0392ea84",
"digest": {
"function_hash": "192540411118792939251538053913742512613",
"length": 1446.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/gpac/gpac/commit/027ce139dda498ee95df36db9f9f6f3cadce8ec9",
"deprecated": false,
"target": {
"function": "gf_isom_add_track_kind",
"file": "src/isomedia/isom_write.c"
}
},
{
"id": "CVE-2025-55639-83165792",
"digest": {
"line_hashes": [
"29677092208908187604996957519435153166",
"253621364095170723494424367398000078983",
"69165970050574451470899796378113575133",
"202666304542014822558361239119992135387"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/gpac/gpac/commit/027ce139dda498ee95df36db9f9f6f3cadce8ec9",
"deprecated": false,
"target": {
"file": "src/isomedia/isom_write.c"
}
}
]