GPAC MP4Box CVE-2025-60464
HIGHSeverity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local parsing requiring the victim to open a crafted TS file gives AV:L/UI:R; documented impact is crash-only, so C:N/I:N/A:H rather than the input's high C/I.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
A use-after-free in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 TS file.
AnalysisAI
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_load_from_state_internal function of the SEI loader filter (src/filters/sei_load.c). Processing a maliciously crafted MPEG-2 Transport Stream file causes the parser to dereference a dangling pointer, crashing the application. Publicly available exploit code (a PoC test case and write-up) exists, though the issue is not listed in CISA KEV and carries a low EPSS exploitation probability (0.17%, 6th percentile).
Technical ContextAI
GPAC is a widely used open-source multimedia framework, and MP4Box is its command-line packaging/analysis utility. The flaw lives in the SEI (Supplemental Enhancement Information) loader filter, which manages per-codec parser state for AV1, VVC and other codecs. The root cause is CWE-416 (Use After Free): the commit diff (8f404bd) shows a copy-paste defect in seiloader_set_type() where, after freeing the AV1 state with gf_free(sei->av1_state), the code mistakenly nulled the unrelated pointer (sei->vvc_state = NULL) instead of sei->av1_state = NULL. This left sei->av1_state pointing at freed memory, so a subsequent codec-type switch triggered by a crafted MPEG-2 TS stream re-references the freed AV1 parser state. The official CPE string in the input is a placeholder (cpe:2.3:a:n/a:n/a:*), so exact affected-product enumeration relies on the description rather than NVD CPE data.
RemediationAI
Upgrade to GPAC/MP4Box version 26.02.0 or later, which contains the corrected pointer-reset logic; the upstream fix is commit 8f404bd581e455267482f86272169a742f654b97 (referenced via issue https://github.com/gpac/gpac/issues/3278). Treat this as an upstream fix available via commit, with the 26.02.0 release line as the documented fixed version per the description. Where immediate upgrade is not possible, the practical compensating control is to avoid running MP4Box/libgpac against untrusted or attacker-supplied MPEG-2 TS files - process only files from trusted sources, and if MP4Box is used in an automated ingestion or transcoding pipeline, sandbox the process (e.g., run under a restricted user, seccomp, or a container with no sensitive mounts) so a crash cannot affect other workloads. The trade-off of restricting input is reduced automation/throughput for untrusted media; sandboxing adds operational overhead but contains the impact to a single process restart.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Denial of service in GPAC (libgpac/MP4Box) before 26.02.0 lets an attacker crash the application by feeding it a crafted
Denial of service in lwext4 1.0.0 allows remote attackers to crash applications by supplying a malformed EXT4 filesystem
GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomed
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today