Skip to main content

GPAC MP4Box CVE-2025-60466

| EUVDEUVD-2025-210330 MEDIUM
Use After Free (CWE-416)
2026-06-25 cve@mitre.org GHSA-5jcp-h69w-6fg7
5.0
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
5.0 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
vuln.today AI
5.0 MEDIUM

Local file processing requires user execution (UI:R) with no elevated privileges (PR:L); crash is availability-only with no confidentiality or integrity impact.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 25, 2026 - 17:31 vuln.today
Analysis Generated
Jun 25, 2026 - 17:31 vuln.today
CVSS changed
Jun 25, 2026 - 15:22 NVD
5.0 (MEDIUM)
CVE Published
Jun 25, 2026 - 00:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

A use-after-free in the gf_filter_pid_get_packet function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.

AnalysisAI

Use-after-free in MP4Box's filter pipeline (gf_filter_pid_get_packet, filter_core/filter_pid.c) crashes the application when processing a crafted media file, resulting in Denial of Service. Affected versions are all GPAC/MP4Box releases prior to 26.02.0. A publicly available proof-of-concept exploit exists, though exploitation requires local access and user interaction - the CVSS vector (AV:L/UI:R) and low EPSS score of 0.17% indicate limited real-world automated exploitation risk. No confirmed active exploitation (CISA KEV not listed).

Technical ContextAI

GPAC is an open-source multimedia processing framework; MP4Box is its primary command-line tool for packaging, inspecting, and manipulating ISO Base Media File Format (ISOBMFF/MP4) content. The vulnerable code path lies in filter_core/filter_pid.c within the GPAC filter graph subsystem, which manages data flow between processing nodes (filters). CWE-416 (Use After Free) is the root cause: the gf_filter_pid_connect_task and gf_filter_pid_init_task functions did not check whether a filter or PID had been marked as removed or finalized before proceeding to access the associated memory. The commit diff confirms that the fix introduces explicit guards (checking pid->removed, filter->finalized, filter->removed) at the entry of these task functions, preventing access to objects already scheduled for deallocation. The vulnerability is triggered by a crafted media file that causes the filter graph to reach a state where a PID is freed mid-task.

RemediationAI

Upgrade to GPAC 26.02.0 or any build incorporating commit 4a7ea06dd1b2cc65fe0dabc60189eb6bc814f7bb (https://github.com/gpac/gpac/commit/4a7ea06dd1b2cc65fe0dabc60189eb6bc814f7bb). This is the vendor-confirmed fix and the only complete resolution. For environments where an immediate upgrade is not feasible, a practical compensating control is to restrict MP4Box from processing untrusted or externally sourced media files - for example, run MP4Box in a sandboxed environment (e.g., bubblewrap, firejail, or a container) so that a triggered crash cannot cascade to host processes. The DoS impact is process-local, so network-level controls offer no mitigation. No workarounds are documented by the vendor for this specific issue. The trade-off of sandboxing is minor operational overhead with no functional degradation to MP4Box's output.

More in Gpac

View all
CVE-2023-46932 CRITICAL POC
9.8 Dec 09

Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671976fcc-master, allows attackers to execute arbitra

CVE-2023-2840 CRITICAL POC
9.8 May 22

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2. Rated critical severity (CVSS 9.8), this vulnera

CVE-2022-36190 CRITICAL POC
9.8 Aug 17

GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerability in function gf_isom_dovi_config_get. Rated crit

CVE-2022-1795 CRITICAL POC
9.8 May 18

Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2021-28300 CRITICAL POC
9.8 Apr 14

NULL Pointer Dereference in the "isomedia/track.c" module's "MergeTrack()" function of GPAC v0.5.2 allows attackers to e

CVE-2020-11558 CRITICAL POC
9.8 Apr 05

An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. Rated critical severity (CVSS 9.8), this

CVE-2018-13005 CRITICAL POC
9.8 Jun 29

An issue was discovered in MP4Box in GPAC 0.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2023-2838 CRITICAL POC
9.1 May 22

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2. Rated critical severity (CVSS 9.1), this vulnerability

CVE-2023-0841 HIGH POC
8.8 Feb 15

A vulnerability, which was classified as critical, has been found in GPAC 2.3-DEV-rev40-g3602a5ded.c. Rated high severit

CVE-2022-4202 HIGH POC
8.8 Nov 29

A vulnerability, which was classified as problematic, was found in GPAC 2.1-DEV-rev490-g68064e101-master. Rated high sev

CVE-2021-21850 HIGH POC
8.8 Aug 25

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Adv

CVE-2021-21849 HIGH POC
8.8 Aug 25

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Adv

Share

CVE-2025-60466 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy