Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Local file processing requires user execution (UI:R) with no elevated privileges (PR:L); crash is availability-only with no confidentiality or integrity impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
A use-after-free in the gf_filter_pid_get_packet function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
AnalysisAI
Use-after-free in MP4Box's filter pipeline (gf_filter_pid_get_packet, filter_core/filter_pid.c) crashes the application when processing a crafted media file, resulting in Denial of Service. Affected versions are all GPAC/MP4Box releases prior to 26.02.0. A publicly available proof-of-concept exploit exists, though exploitation requires local access and user interaction - the CVSS vector (AV:L/UI:R) and low EPSS score of 0.17% indicate limited real-world automated exploitation risk. No confirmed active exploitation (CISA KEV not listed).
Technical ContextAI
GPAC is an open-source multimedia processing framework; MP4Box is its primary command-line tool for packaging, inspecting, and manipulating ISO Base Media File Format (ISOBMFF/MP4) content. The vulnerable code path lies in filter_core/filter_pid.c within the GPAC filter graph subsystem, which manages data flow between processing nodes (filters). CWE-416 (Use After Free) is the root cause: the gf_filter_pid_connect_task and gf_filter_pid_init_task functions did not check whether a filter or PID had been marked as removed or finalized before proceeding to access the associated memory. The commit diff confirms that the fix introduces explicit guards (checking pid->removed, filter->finalized, filter->removed) at the entry of these task functions, preventing access to objects already scheduled for deallocation. The vulnerability is triggered by a crafted media file that causes the filter graph to reach a state where a PID is freed mid-task.
RemediationAI
Upgrade to GPAC 26.02.0 or any build incorporating commit 4a7ea06dd1b2cc65fe0dabc60189eb6bc814f7bb (https://github.com/gpac/gpac/commit/4a7ea06dd1b2cc65fe0dabc60189eb6bc814f7bb). This is the vendor-confirmed fix and the only complete resolution. For environments where an immediate upgrade is not feasible, a practical compensating control is to restrict MP4Box from processing untrusted or externally sourced media files - for example, run MP4Box in a sandboxed environment (e.g., bubblewrap, firejail, or a container) so that a triggered crash cannot cascade to host processes. The DoS impact is process-local, so network-level controls offer no mitigation. No workarounds are documented by the vendor for this specific issue. The trade-off of sandboxing is minor operational overhead with no functional degradation to MP4Box's output.
Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671976fcc-master, allows attackers to execute arbitra
NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2. Rated critical severity (CVSS 9.8), this vulnera
GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerability in function gf_isom_dovi_config_get. Rated crit
Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV. Rated critical severity (CVSS 9.8), this vulnerabilit
NULL Pointer Dereference in the "isomedia/track.c" module's "MergeTrack()" function of GPAC v0.5.2 allows attackers to e
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. Rated critical severity (CVSS 9.8), this
An issue was discovered in MP4Box in GPAC 0.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2. Rated critical severity (CVSS 9.1), this vulnerability
A vulnerability, which was classified as critical, has been found in GPAC 2.3-DEV-rev40-g3602a5ded.c. Rated high severit
A vulnerability, which was classified as problematic, was found in GPAC 2.1-DEV-rev490-g68064e101-master. Rated high sev
An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Adv
An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Adv
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210330
GHSA-5jcp-h69w-6fg7