Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local vector with low-privilege requirement matches file-processing trigger; impact is availability-only crash with no confidentiality or integrity consequence.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
GPAC Multimedia Open Source Project GPAC Project/MP4Box 2.5-DEV-rev1593-gfe88c3545-master is affected by: Buffer Overflow. The impact is: cause a denial of service (local). The component is: filter_core/filter_pid.c (L:574-580): function gf_filter_pid_inst_swap_delete_task() improperly accesses freed objects during PID instance swap/delete cleanup, leading to heap use-after-free. The attack vector is: Local (AV:L): a local, authenticated user who processes a specially crafted MPEG-2 TS/MP4 file with MP4Box can trigger the bug during filter teardown (PID instance swap/delete), causing a crash. ¶¶ In GPAC s MP4Box, gf_filter_pid_inst_swap_delete_task() in filter_core/filter_pid.c may dereference objects after they have been freed when cleaning up PID instances after a swap/delete operation. Crafted inputs (e.g., malformed MPEG-2 TS) can trigger a heap use-after-free and crash; exploitation may be possible.
AnalysisAI
Heap use-after-free in GPAC MP4Box 2.5-DEV-rev1593-gfe88c3545-master crashes the application when a local authenticated user processes a specially crafted MPEG-2 TS or MP4 file. The defect resides in gf_filter_pid_inst_swap_delete_task() within filter_core/filter_pid.c, where PID instance cleanup dereferences already-freed objects during a swap/delete operation, causing a heap corruption and denial of service. No public exploit has triggered active exploitation per CISA KEV, but a proof-of-concept is publicly available; EPSS sits at 0.18% (7th percentile), consistent with limited real-world targeting.
Technical ContextAI
GPAC is an open-source multimedia framework used for MP4/MPEG processing; MP4Box is its command-line muxing/demuxing tool. The vulnerable component is filter_core/filter_pid.c, specifically the task callback gf_filter_pid_inst_swap_delete_task() around lines 574-580. During filter graph teardown, when a PID instance undergoes a swap-then-delete operation, the function does not check whether a re-link is already pending (detach_pending flag), and proceeds to dereference a pidinst object after the underlying memory has been freed. This matches CWE-122 (Heap-based Buffer Overflow) in classification, though the root cause is more precisely a use-after-free (UAF) pattern - freed heap memory is accessed during callback execution triggered by crafted filter graph state. The upstream fix (commits 976dacf6 and aed9c94e) adds the guard condition else if (!pidinst->detach_pending) to prevent re-linking when a pending detach already exists, breaking the UAF trigger path. CPE data provided is non-informative (n/a), so exact version scope is bounded only by the named dev revision.
RemediationAI
Apply the upstream fix commits available at https://github.com/gpac/gpac/commit/976dacf65cb6986a4e4f350fb8d3ed0a17dc3a77 and https://github.com/gpac/gpac/commit/aed9c94e92e8ba362ddb29c767c519478f46f195. These commits add the !pidinst->detach_pending guard to prevent re-entry into the relinking path when a detach is already in progress. No vendor-released tagged patch version has been independently confirmed at time of analysis - the fix is available as upstream commits only (pre-release). As a compensating control, restrict MP4Box from processing untrusted or externally-supplied MPEG-2 TS and MP4 files; this fully eliminates the attack surface since the vulnerability is triggered only via file processing. In automated pipelines, sandbox MP4Box execution (e.g., via seccomp, container isolation, or a dedicated unprivileged user) so that a crash does not affect other services - the DoS impact is limited to the MP4Box process itself.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210332
GHSA-fj4j-92hj-mcwp