new 3 SEGV in MP4Box in gpac/gpac


Reported on

Oct 15th 2023


new 3 SEGV in MP4Box


$ ./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master


$ uname -a
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux


./MP4Box -dash 10000 poc




This vulnerability allows a remote attacker to cause a denial of service on an affected gpac MP4Box. Exploiting this vulnerability requires user interaction, as the target must access a malicious page or open a malicious file.

We are processing your report and will contact the gpac team within 24 hours. a month ago
A GitHub Issue asking the maintainers to create a exists a month ago
We have contacted a member of the gpac team and are waiting to hear back a month ago
gpac/gpac maintainer
a month ago


gpac/gpac maintainer validated this vulnerability a month ago
gandalf4a has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.3-DEV with commit d2de8b a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
gpac/gpac maintainer published this vulnerability a month ago
a month ago


The maintainers didn't seem to know how to do it, they were confirmed directly in the github issue( Can we assign a CVE through this? Thanks! @admin

to join this conversation