CVE-2025-52293: GPAC MP4Box HEVC SPS Parser Memory Safety Vulnerability

Vulnerability Overview Vulnerability ID: CVE-2025-52293 Vulnerability Type: Memory safety vulnerability Affected Component: GPAC MP4Box HEVC SPS Parser Description: When processing MP4 files containing malformed HEVC SPS data, the function fails to safely handle HEVC SPS data from malicious MP4 files during video configuration parsing. During the import and splitting process, malformed SPS data reaches the HEVC parser, leading to invalid memory reads. AddressSanitizer reported a caused by a memory access in . The crash occurs when MP4Box processes the malicious file via the isomedia input and NAL replacement/configuration path. Impact Scope Affected Product: MP4Box (GPAC Multimedia Open Source Project) Affected Versions: MP4Box 2.4 and earlier (GPAC built from commit: 8a0d5b43c242fe4bfb88530e4c9afef37114161) Attack Conditions: The attacker provides an MP4 file containing a malformed HEVC SPS NAL unit. The issue can be reproduced locally: Privilege Escalation: User interaction is required, either when a victim manually processes a malicious MP4 file or when automated workflows invoke MP4Box on attacker-controlled media. Impact: The directly observed impact is denial of service due to process termination. The local CVE request classifies the issue as a buffer overflow/memory safety violation. The observed ASAN trace indicates an invalid read; arbitrary code execution was not observed. Remediation Fix Status: The issue has been fixed in the GPAC commit: Recommendation: Users should update to a GPAC build that includes this commit or a later version. The parser should validate HEVC SPS bitstream boundaries and reject malformed SPS/NAL data before reading fields from the bitstream. References Issue: github.com/gpac/gpac/issues/31 PoC: github.com/sigdevel/pocs/blob/... Fix: github.com/gpac/gpac/commit/d0... Credit @sigdevel

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-52293: GPAC MP4Box HEVC SPS Parser Memory Safety Vulnerability