{"id":"CVE-2025-60483","details":"A NULL pointer dereference in the gf_ac4_pres_b_4_back_channels_present function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file.","modified":"2026-07-09T19:35:01.700900Z","published":"2026-06-01T00:00:00Z","database_specific":{"cna_assigner":"mitre","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/60xxx/CVE-2025-60483.json"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/06/01/9"},{"type":"WEB","url":"https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/49/README.md"},{"type":"WEB","url":"https://infosec.exchange/@sigdevel/116659111520602254"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/60xxx/CVE-2025-60483.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-60483"},{"type":"REPORT","url":"https://github.com/gpac/gpac/issues/3302"},{"type":"FIX","url":"https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gpac/gpac","events":[{"introduced":"0"},{"fixed":"118e60a905878e56dc4f9c5b309143c5f447c702"},{"fixed":"13eb5b76560aaf7813b865a2ad433258478e2695"}],"database_specific":{"extracted_events":[{"introduced":"MP4Box"},{"fixed":"26.02.0"}],"source":["DESCRIPTION","REFERENCES"]}}],"versions":["abi-16.5","abi-16.4","abi-16.3","abi-16.2","abi-16","abi-15.2","abi-15.1","abi-15.0","abi-15","abi-14.0","abi-14","abi-13.0","abi-13","abi-12.27","abi-12.26","abi-12.25","abi-12.24","abi-12.23","abi-12.22","abi-12.21","abi-12.20","abi-12.19","abi-12.18","abi-12.17","abi-12.16","abi-12","testtag0.1","v2.2.0","v2.0.0","v1.0.0","v0.9.0","v0.9.0-preview","v0.6.0","v0.5.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-60483.json","vanir_signatures_modified":"2026-07-09T19:35:01Z","vanir_signatures":[{"deprecated":false,"digest":{"function_hash":"119331427118805452260653977110323882068","length":1144},"id":"CVE-2025-60483-0c927a09","signature_type":"Function","signature_version":"v1","source":"https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695","target":{"file":"src/filters/load_text.c","function":"txtin_process_send_text_sample"}},{"deprecated":false,"digest":{"function_hash":"229378594528598445528239402183340614774","length":1117},"id":"CVE-2025-60483-149d4899","signature_type":"Function","signature_version":"v1","source":"https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695","target":{"file":"src/odf/descriptors.c","function":"gf_odf_ac4_cfg_clean_list"}},{"source":"https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695","target":{"file":"src/filter_core/filter_pid.c","function":"gf_filter_pid_resolve_file_template_ex"},"deprecated":false,"digest":{"function_hash":"184838686202623878916577001940544593865","length":8162},"id":"CVE-2025-60483-16588809","signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695","target":{"file":"src/filter_core/filter_pid.c"},"deprecated":false,"digest":{"line_hashes":["263229855699910055907089839999455364739","192113742765769321982905987820968519317","265796515486067353279725015632590065927","10900472474120666202727518599613208387"],"threshold":0.9},"id":"CVE-2025-60483-2eebe9f9","signature_type":"Line","signature_version":"v1"},{"signature_type":"Function","signature_version":"v1","source":"https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695","target":{"file":"src/media_tools/av_parsers.c","function":"gf_ac4_pres_top_channel_pairs"},"deprecated":false,"digest":{"function_hash":"72329964463097325273241771529695068410","length":529},"id":"CVE-2025-60483-3842f775"},{"signature_type":"Line","signature_version":"v1","source":"https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695","target":{"file":"src/filters/load_text.c"},"deprecated":false,"digest":{"line_hashes":["274941447431428118303552763218508288485","94529169039144367614443729912742324066","233445931520024186195245170005028677098","251308173171149139094601613017950448959"],"threshold":0.9},"id":"CVE-2025-60483-86516fde"},{"signature_type":"Function","signature_version":"v1","source":"https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695","target":{"file":"src/media_tools/av_parsers.c","function":"gf_ac4_pres_b_4_back_channels_present"},"deprecated":false,"digest":{"function_hash":"12853528996648484221985318558537587175","length":383},"id":"CVE-2025-60483-c49e9fa3"},{"deprecated":false,"digest":{"function_hash":"167815779127432638081820870950817504914","length":604},"id":"CVE-2025-60483-c94f3045","signature_type":"Function","signature_version":"v1","source":"https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695","target":{"function":"gf_ac4_oamd_common_data","file":"src/media_tools/av_parsers.c"}},{"source":"https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695","target":{"file":"src/odf/descriptors.c","function":"gf_odf_ac4_cfg_dsi_v1"},"deprecated":false,"digest":{"function_hash":"52043912534921305866336672133175427024","length":4148},"id":"CVE-2025-60483-d85dcab6","signature_type":"Function","signature_version":"v1"},{"deprecated":false,"digest":{"line_hashes":["21881754412139333564879561943549396813","187425246353187912494381215261152866660","152131168274718466098767917775716842435","46166691777284388558447332696030508480","318100075712337754198511967558730808404","302172459793984814086232159568483977511","276164901311492659373966563863416415002","315832589933922446446407648342029123575","147353908516770057652343077764619110718","299712238538084327212168653616355381101","261268044783629405480604841356721107886","57481430810754653389291400155288281680","321675206653785456496182330702511978153","274573090219790207878364981908708016017","137094092846678770852079822596970685581","39783544712492073382198650615105358454","47828808561271817177125719610403089315"],"threshold":0.9},"id":"CVE-2025-60483-daf7e5ad","signature_type":"Line","signature_version":"v1","source":"https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695","target":{"file":"src/odf/descriptors.c"}},{"deprecated":false,"digest":{"line_hashes":["269372615484095727664279138480992726371","284662915484188318166549626663487275179","131402185700019386913151730365332512031","209385215032895354917277063366667043613","19500034083579600205700187086289098294","135040001861682879386930705441291951365","181297475272340019449360578467135501194","136487013873471022016688705030312090735","19500034083579600205700187086289098294","135040001861682879386930705441291951365","181297475272340019449360578467135501194","209751471631048242378424560661162680361"],"threshold":0.9},"id":"CVE-2025-60483-e82e87cc","signature_type":"Line","signature_version":"v1","source":"https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695","target":{"file":"src/media_tools/av_parsers.c"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}