VIR Vulnerability Intelligence Relay

CVE-2025-70116

medium
Published 2026-05-27 Β· Modified 2026-06-01
πŸ’¬ Discuss on Community ✚ Propose mitigation
CVSS v3
4.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CVSS v4 NEW
β€”
not yet in upstream
VIR risk
4.3

Description

A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV).

Predictions

Exploit likelihood
53%
Patch ETA
β€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker Β· View original β†— Β· DFSG

CVE-2025-70116 NameCVE-2025-70116 DescriptionA NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV). SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red…

CVE-2025-70116

NameCVE-2025-70116
DescriptionA NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV).
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gpac (PTS)bullseye (security), bullseye1.0.1+dfsg1-4+deb11u3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gpacsource(unstable)(unfixed)

Notes

https://github.com/gpac/gpac/issues/3345

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
https://github.com/gpac/gpac/issues/3345

OS impact
debian Debian Affected 1 release
VersionStatusFixed in
bullseye Affected β€”

References

CWEs

CWE-476

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.