A NULL pointer dereference in the gfac4presb4backchannelspresent function (/mediatools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/60xxx/CVE-2025-60483.json",
"cna_assigner": "mitre"
}"2026-07-09T19:35:01Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-60483.json"
[
{
"id": "CVE-2025-60483-0c927a09",
"digest": {
"function_hash": "119331427118805452260653977110323882068",
"length": 1144.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
"deprecated": false,
"target": {
"function": "txtin_process_send_text_sample",
"file": "src/filters/load_text.c"
}
},
{
"id": "CVE-2025-60483-149d4899",
"digest": {
"function_hash": "229378594528598445528239402183340614774",
"length": 1117.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
"deprecated": false,
"target": {
"function": "gf_odf_ac4_cfg_clean_list",
"file": "src/odf/descriptors.c"
}
},
{
"id": "CVE-2025-60483-16588809",
"digest": {
"function_hash": "184838686202623878916577001940544593865",
"length": 8162.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
"deprecated": false,
"target": {
"function": "gf_filter_pid_resolve_file_template_ex",
"file": "src/filter_core/filter_pid.c"
}
},
{
"id": "CVE-2025-60483-2eebe9f9",
"digest": {
"line_hashes": [
"263229855699910055907089839999455364739",
"192113742765769321982905987820968519317",
"265796515486067353279725015632590065927",
"10900472474120666202727518599613208387"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
"deprecated": false,
"target": {
"file": "src/filter_core/filter_pid.c"
}
},
{
"id": "CVE-2025-60483-3842f775",
"digest": {
"function_hash": "72329964463097325273241771529695068410",
"length": 529.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
"deprecated": false,
"target": {
"function": "gf_ac4_pres_top_channel_pairs",
"file": "src/media_tools/av_parsers.c"
}
},
{
"id": "CVE-2025-60483-86516fde",
"digest": {
"line_hashes": [
"274941447431428118303552763218508288485",
"94529169039144367614443729912742324066",
"233445931520024186195245170005028677098",
"251308173171149139094601613017950448959"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
"deprecated": false,
"target": {
"file": "src/filters/load_text.c"
}
},
{
"id": "CVE-2025-60483-c49e9fa3",
"digest": {
"function_hash": "12853528996648484221985318558537587175",
"length": 383.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
"deprecated": false,
"target": {
"function": "gf_ac4_pres_b_4_back_channels_present",
"file": "src/media_tools/av_parsers.c"
}
},
{
"id": "CVE-2025-60483-c94f3045",
"digest": {
"function_hash": "167815779127432638081820870950817504914",
"length": 604.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
"deprecated": false,
"target": {
"function": "gf_ac4_oamd_common_data",
"file": "src/media_tools/av_parsers.c"
}
},
{
"id": "CVE-2025-60483-d85dcab6",
"digest": {
"function_hash": "52043912534921305866336672133175427024",
"length": 4148.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
"deprecated": false,
"target": {
"function": "gf_odf_ac4_cfg_dsi_v1",
"file": "src/odf/descriptors.c"
}
},
{
"id": "CVE-2025-60483-daf7e5ad",
"digest": {
"line_hashes": [
"21881754412139333564879561943549396813",
"187425246353187912494381215261152866660",
"152131168274718466098767917775716842435",
"46166691777284388558447332696030508480",
"318100075712337754198511967558730808404",
"302172459793984814086232159568483977511",
"276164901311492659373966563863416415002",
"315832589933922446446407648342029123575",
"147353908516770057652343077764619110718",
"299712238538084327212168653616355381101",
"261268044783629405480604841356721107886",
"57481430810754653389291400155288281680",
"321675206653785456496182330702511978153",
"274573090219790207878364981908708016017",
"137094092846678770852079822596970685581",
"39783544712492073382198650615105358454",
"47828808561271817177125719610403089315"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
"deprecated": false,
"target": {
"file": "src/odf/descriptors.c"
}
},
{
"id": "CVE-2025-60483-e82e87cc",
"digest": {
"line_hashes": [
"269372615484095727664279138480992726371",
"284662915484188318166549626663487275179",
"131402185700019386913151730365332512031",
"209385215032895354917277063366667043613",
"19500034083579600205700187086289098294",
"135040001861682879386930705441291951365",
"181297475272340019449360578467135501194",
"136487013873471022016688705030312090735",
"19500034083579600205700187086289098294",
"135040001861682879386930705441291951365",
"181297475272340019449360578467135501194",
"209751471631048242378424560661162680361"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695",
"deprecated": false,
"target": {
"file": "src/media_tools/av_parsers.c"
}
}
]