Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
MP4Box is a local file-parsing tool requiring a victim to process the crafted file, so AV:L and UI:R; impact is a crash only, giving A:H with C:N/I:N.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
A use-after-free in the gf_filter_pid_inst_swap_delete_task function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
AnalysisAI
Denial of service in GPAC (libgpac/MP4Box) before 26.02.0 lets an attacker crash the application by feeding it a crafted media file that triggers a use-after-free in gf_filter_pid_inst_swap_delete_task within the filter-core PID handling code. Any pipeline or user that parses untrusted media through GPAC is affected, with publicly available proof-of-concept code, though no active exploitation has been reported and EPSS exploitation probability is low (0.17%, 6th percentile). Impact is limited to availability - there is no confidentiality or integrity loss per the CVSS vector.
Technical ContextAI
GPAC is a widely used open-source multimedia framework whose MP4Box tool and libgpac library handle muxing, demuxing and transcoding of MP4/ISOBMFF and many other container formats through an internal filter graph. The flaw is a CWE-416 Use-After-Free in src/filter_core/filter_pid.c: during PID (packet identifier) reconfiguration, gf_filter_pid_inst_swap_delete_task can operate on a filter PID instance whose memory has already been freed when a relink/detach is concurrently pending. The upstream fix (commit 976dacf65cb6986a4e4f350fb8d3ed0a17dc3a77) adds a guard so a destination is not relinked when a detach (pidinst->detach_pending) is already pending, preventing the freed instance from being reused. The CPE in the feed is a placeholder (cpe:2.3:a:n/a:n/a:*) and provides no usable product/version data, so affected-product identification rests on the GPAC issue/commit and the 'before 26.02.0' description.
RemediationAI
Upgrade GPAC/MP4Box to 26.02.0 or later, which includes the fix commit 976dacf65cb6986a4e4f350fb8d3ed0a17dc3a77 that guards against relinking a destination PID while a detach is pending (Vendor-released patch: 26.02.0; fix verifiable via the linked GPAC commit). If you cannot upgrade immediately, the practical compensating controls are to stop processing untrusted media with vulnerable builds: route untrusted/user-uploaded files through a different validated decoder, or sandbox/isolate MP4Box execution (run it as an unprivileged, resource-limited, restartable worker process) so a crash only kills the disposable worker rather than the host service - the trade-off is added pipeline complexity and latency. For server-side ingestion, restrict or queue file submission and add automatic restart/supervision so the DoS does not cause sustained outage. Track the upstream issue at https://github.com/gpac/gpac/issues/3286 and confirm your distribution has rebuilt against 26.02.0.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210331
GHSA-3q4w-vhww-wccf