What is the CVSS score of CVE-2025-60486?

CVE-2025-60486 has a CVSS 3.1 base score of 5.5 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Is there a public PoC exploit available for CVE-2025-60486?

Yes, a public proof-of-concept exploit is available for CVE-2025-60486. Prioritise patching immediately. EPSS: 0.0%.

GPAC MP4Box CVE-2025-60486

EUVD-2025-210006 MEDIUM

Use After Free (CWE-416)

2026-06-01 cve@mitre.org

GHSA-4543-w4pw-mmjc

Use After Free Denial Of Service Memory Corruption

5.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

Jun 01, 2026 - 17:33 vuln.today

Analysis Generated

Jun 01, 2026 - 17:33 vuln.today

CVSS changed

Jun 01, 2026 - 17:22 NVD

5.5 (MEDIUM)

CVE Published

Jun 01, 2026 - 15:16 nvd

UNKNOWN (no severity yet)

DescriptionCVE.org

A heap use-after-free in the dasher_process function (/filters/dasher.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 file.

AnalysisAI

Heap use-after-free in GPAC MP4Box's dasher filter allows local attackers to crash the application by supplying a crafted MPEG-2 file. The flaw exists in dasher_configure_pid within src/filters/dasher.c, where a freed GF_DashStream object can still be referenced via muxed_base pointers held by other stream structures, resulting in a dangling pointer dereference. Impact is limited to Denial of Service (A:H, C:N, I:N); a publicly available proof-of-concept confirms reproducibility, though no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Technical ContextAI

GPAC is an open-source multimedia framework; MP4Box is its primary command-line tool for packaging, transmuxing, and MPEG-DASH segmentation. The vulnerable component is the DASH packager filter in src/filters/dasher.c (CWE-416: Use After Free). In dasher_configure_pid, the local pointer GF_DashStream *ds was left uninitialized in certain execution paths, and when a stream was removed or reconfigured, other GF_DashStream objects in ctx->current_period->streams with muxed_base pointing to the freed ds were not nulled out, creating dangling pointers. The fix initializes ds=NULL and iterates over the current period's stream list to clear any muxed_base references before the stream object is released. The vulnerability is triggered specifically when processing MPEG-2 content through the dasher pipeline. CPE data in EUVD is listed as n/a, so precise CPE strings were not available from the provided intelligence.

RemediationAI

Upgrade GPAC to version 26.02.0 or later, which incorporates the fix from upstream commit e6d01820d7bf3967d931fedb379ee5f209bc133b (https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b). The fix version 26.02.0 is stated in the CVE description but no formal vendor release advisory URL was found beyond the GitHub commit and issue tracker entry at https://github.com/gpac/gpac/issues/3314. If immediate upgrade is not feasible, restrict MP4Box usage to trusted, internally generated MPEG-2 files only, and avoid exposing MP4Box-based processing pipelines to externally supplied media content. Disabling or sandboxing the dasher pipeline for untrusted input would eliminate the attack surface, though this trades off DASH packaging capability. No official workaround bypassing the need for upgrade has been published at time of analysis.

CVE-2025-60486 vulnerability details – vuln.today

Back

GPAC MP4Box CVE-2025-60486

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code