{"vulnerability": "CVE-2025-52293", "sightings": [{"uuid": "d3e419d3-0856-4f2e-985f-288248cc4099", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-52293", "type": "seen", "source": "https://infosec.exchange/users/sigdevel/statuses/116710484148913883", "content": "Security Advisory: CVE-2025-52293 - Memory Safety Violation in GPAC MP4Box HEVC SPS Parser\nProcessing a crafted MP4 file containing malformed HEVC SPS data with `MP4Box` can trigger a segmentation fault in `gf_hevc_read_sps_bs_internal()`, causing a Denial of Service.\nSummary:The `gf_hevc_read_sps_bs_internal()` function in `media_tools/av_parsers.c` does not safely handle crafted HEVC SPS data while parsing video configuration from a malicious MP4 file. During import and split processing, malformed SPS data reaches the HEVC parser and causes an invalid memory read.\nAddressSanitizer reports a `SEGV` caused by a `READ` memory access at `media_tools/av_parsers.c:9309`. The crash occurs while MP4Box processes the crafted file through the isomedia input and NAL replacement/configuration path.\nCWE:CWE classification was not specified in the local MITRE data. This issue is best described as a memory safety violation in HEVC SPS parsing, with an observed out-of-bounds/invalid read leading to SIGSEGV.\nAffected Component:```media_tools/av_parsers.c:9309Function: gf_hevc_read_sps_bs_internal()```\nAffected Product:MP4Box (GPAC Multimedia Open Source Project)\nAffected Version:MP4Box versions 2.4 and earlier (GPAC build at commit: 8a0d5b43c242fe4befb88530e4c9afef37114161)\nAttack Conditions:An attacker supplies a crafted MP4 file containing malformed HEVC SPS NAL units. The issue can be reproduced locally with:\n```./MP4Box -add 3_poc.mp4 -new /dev/null -split-size 5000000```No elevated privileges are required. User interaction is required when the victim manually processes the malicious MP4 file, or an automated workflow invokes MP4Box on attacker-controlled media.\nImpact:The immediate observed impact is Denial of Service due to process termination. The local CVE request classifies the issue as a buffer overflow / memory safety violation. The observed ASAN trace shows an invalid read; no evidence of arbitrary code execution was observed.\nFix / mitigation status:The issue was fixed in GPAC commit:\n```d091c7e92ef0b6497b808e243501f500135f69c4```\nUsers should update to a GPAC build containing this commit or later. The parser should validate HEVC SPS bitstream boundaries and reject malformed SPS/NAL data before reading fields from the bitstream.\nReferences:\n- Issue: https://github.com/gpac/gpac/issues/3146- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/3/3_poc.mp4- Fix: https://github.com/gpac/gpac/commit/d091c7e92ef0b6497b808e243501f500135f69c4\nCredit@sigdevel\n#fuzzing #infosec #security #afl #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media", "creation_timestamp": "2026-06-07T19:38:15.114003Z"}]}