Skip to main content

GPAC MP4Box EUVDEUVD-2025-210429

| CVE-2025-15667 LOW
Double Free (CWE-415)
2026-07-06 VulDB GHSA-r4c4-62x2-m3ww
1.9
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
1.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.3 LOW

Local-only file processing context requires low privileges; double-free causes crash only, with no confidentiality or integrity impact supported by evidence.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jul 06, 2026 - 12:22 vuln.today
Severity Changed
Jul 06, 2026 - 12:22 NVD
MEDIUM LOW
CVSS changed
Jul 06, 2026 - 12:22 NVD
4.8 (MEDIUM) 1.9 (LOW)

DescriptionCVE.org

A vulnerability was determined in GPAC up to 2.5-DEV. This vulnerability affects the function gf_isom_nalu_sample_rewrite of the file src/isomedia/avc_ext.c of the component MP4Box. This manipulation of the argument nalu_out_bs causes double free. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. Patch name: f29f955f2a3b5e8e507caad3e52319f961bf37bf. To fix this issue, it is recommended to deploy a patch.

AnalysisAI

Double-free memory corruption in GPAC MP4Box up to version 2.5-DEV allows a local, low-privileged attacker to trigger heap corruption via a crafted MP4 file processed by the gf_isom_nalu_sample_rewrite function, resulting in low availability impact (crash). No confidentiality or integrity impact is indicated by the CVSS 4.0 vector despite the 'Information Disclosure' tag in VulDB, which appears inconsistent with the scored metrics. A public POC exists at GitHub, but no active exploitation has been confirmed and this CVE is not listed in CISA KEV.

Technical ContextAI

GPAC is an open-source multimedia framework; MP4Box is its command-line ISOBMFF/MP4 muxer and demuxer tool. The affected code path is gf_isom_nalu_sample_rewrite in src/isomedia/avc_ext.c, which handles AVC/H.264 NALU (Network Abstraction Layer Unit) sample rewriting within MP4 container tracks. CWE-415 (Double Free) occurs when the nalu_out_bs bitstream buffer object is freed more than once during NALU sample processing, causing heap metadata corruption. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N) confirms this is triggered locally with no special attack preconditions, and the vulnerable-system availability impact is low (VA:L), consistent with a crash or abort rather than arbitrary code execution. CPE cpe:2.3:a:n/a:gpac:*:*:*:*:*:*:*:* covers all GPAC versions up to 2.5-DEV.

RemediationAI

Apply upstream patch commit f29f955f2a3b5e8e507caad3e52319f961bf37bf available at https://github.com/gpac/gpac/commit/f29f955f2a3b5e8e507caad3e52319f961bf37bf. This is a source-level commit, not a tagged release - organizations should build GPAC from the patched source tree or wait for an official release that incorporates this fix; a specifically versioned patched release has not been independently confirmed at time of analysis. As a compensating control, restrict execution of MP4Box to trusted users and avoid processing untrusted or externally sourced MP4 files with unpatched builds. If GPAC is used in automated media processing pipelines, sandbox the MP4Box process using seccomp profiles, Linux namespaces, or container isolation to contain the impact of heap corruption to the processing process only. Disabling NALU rewriting operations on untrusted input is not directly configurable via a standalone flag, so process isolation is the most actionable workaround.

More in Gpac

View all
CVE-2023-46932 CRITICAL POC
9.8 Dec 09

Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671976fcc-master, allows attackers to execute arbitra

CVE-2023-2840 CRITICAL POC
9.8 May 22

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2. Rated critical severity (CVSS 9.8), this vulnera

CVE-2022-36190 CRITICAL POC
9.8 Aug 17

GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerability in function gf_isom_dovi_config_get. Rated crit

CVE-2022-1795 CRITICAL POC
9.8 May 18

Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2021-28300 CRITICAL POC
9.8 Apr 14

NULL Pointer Dereference in the "isomedia/track.c" module's "MergeTrack()" function of GPAC v0.5.2 allows attackers to e

CVE-2020-11558 CRITICAL POC
9.8 Apr 05

An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. Rated critical severity (CVSS 9.8), this

CVE-2018-13005 CRITICAL POC
9.8 Jun 29

An issue was discovered in MP4Box in GPAC 0.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2023-2838 CRITICAL POC
9.1 May 22

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2. Rated critical severity (CVSS 9.1), this vulnerability

CVE-2023-0841 HIGH POC
8.8 Feb 15

A vulnerability, which was classified as critical, has been found in GPAC 2.3-DEV-rev40-g3602a5ded.c. Rated high severit

CVE-2022-4202 HIGH POC
8.8 Nov 29

A vulnerability, which was classified as problematic, was found in GPAC 2.1-DEV-rev490-g68064e101-master. Rated high sev

CVE-2021-21850 HIGH POC
8.8 Aug 25

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Adv

CVE-2021-21849 HIGH POC
8.8 Aug 25

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Adv

Share

EUVD-2025-210429 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy