Impact
The vulnerability is a double free in the function gf_isom_nalu_sample_rewrite within the MP4Box tool of GPAC. Manipulation of the nalu_out_bs argument causes the function to free the same memory block twice, corrupting heap state. This memory corruption can lead to a program crash or unintended behaviour, but the CVE description does not specify that arbitrary code execution is possible.
Affected Systems
GPAC MP4Box, all builds up to and including the 2.5-DEV series, is affected. Users who run these versions of the MP4Box tool processing media files from untrusted sources are at risk.
Risk and Exploitability
The CVSS score of 4.8 indicates low overall severity, and the EPSS score of less than 1% suggests that exploitation is unlikely. The flaw is exploitable only from a local host; an attacker must execute MP4Box or a similar GPAC command with a crafted input file. The vulnerability is not listed in CISA’s KEV catalog, but proof‑of‑concept exploits have been published.
OpenCVE Enrichment