CVE-2025-70116

Published: Mag 27, 2026 Last Modified: Mag 27, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV).

https://github.com/gpac/gpac/issues/3345
https://github.com/gpac/gpac/issues/3345
https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/…
https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/68/68_gf_media_map_e…
https://infosec.exchange/@sigdevel/116624563750949972
https://infosec.exchange/@sigdevel/116624563750949972