Skip to main content

GPAC MP4Box CVE-2025-60465

MEDIUM
Use After Free (CWE-416)
2026-06-25 mitre
6.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
vuln.today AI
5.5 MEDIUM

File-triggered DoS requires no authentication and no special privileges; AV:L for local file processing, UI:R for opening the crafted file, A:H for process crash with no confirmed confidentiality or integrity impact per the description.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 26, 2026 - 14:23 vuln.today
Analysis Generated
Jun 26, 2026 - 14:23 vuln.today
CVSS changed
Jun 26, 2026 - 14:22 NVD
6.1 (MEDIUM)
CVE Published
Jun 25, 2026 - 00:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

A use-after-free in the gf_filter_pid_inst_swap function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.

AnalysisAI

Use-after-free in MP4Box's filter pipeline core (gf_filter_pid_inst_swap in filter_pid.c) allows local attackers to crash the application - and potentially achieve memory corruption beyond DoS - by supplying a crafted media file. Publicly available exploit code exists for this vulnerability, hosted on GitHub in a dedicated proof-of-concept repository. The EPSS score is low (0.17%, 6th percentile) with no CISA KEV listing, suggesting the public POC is research-grade rather than part of active exploitation campaigns, but the barrier to triggering a crash is low for any attacker with file delivery capability.

Technical ContextAI

GPAC is an open-source multimedia framework for MP4/ISOBMFF processing, and MP4Box is its primary command-line tool used extensively in media transcoding and research toolchains. The vulnerability is a CWE-416 (Use After Free) in the filter pipeline subsystem at src/filter_core/filter_pid.c within gf_filter_pid_inst_swap. The root cause is inadequate lifecycle management of GF_FilterPidInst objects during PID relinking: when reconfigure tasks are triggered before a relinking operation completes, a PID instance can be registered as a relink target for a destination while another operation concurrently holds a stale pointer to that same instance. The upstream fix (commit 55b351bd) adds a guard that returns early if src_pidinst already equals filter_dst->swap_pidinst_dst, preventing the double-processing path that frees the object prematurely. The NVD CPE entry (cpe:2.3:a:n/a:n/a:*:*:*:*:*:*:*:*) is a placeholder and provides no usable asset-inventory scoping; affected versions are determined from the GitHub issue and fix commit context.

RemediationAI

Upgrade GPAC/MP4Box to version 26.02.0 or later, which incorporates the guard introduced in commit 55b351bd078c950592544ab4c708a613c1725b9b (https://github.com/gpac/gpac/commit/55b351bd078c950592544ab4c708a613c1725b9b). The originating issue is tracked at https://github.com/gpac/gpac/issues/3283. Note that the '26.02.0' version boundary is stated in the CVE description and linked to the fix commit, but a tagged release at that exact version string has not been independently verified from a formal release page - confirm the specific release tag in the GPAC GitHub repository before deploying. For organizations that cannot patch immediately, restrict MP4Box usage to trusted, internally-generated media files and prevent untrusted or user-submitted files from being processed through automated pipelines. There is no documented configuration flag to disable the affected filter PID swap code path without disabling core media processing functionality, so isolation of the processing environment is the primary compensating control.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2025-60465 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy