Impact
GPAC MP4Box version 2.4 contains a heap use‑after‑free bug in the gf_node_get_tag function (scenegraph/base_scenegraph.c). A malicious MP4 file crafted to exploit this flaw can trigger the errant use of freed memory, causing the application to crash and thereby denying service. The weakness is a classic example of CWE‑416, which reduces program stability but does not provide remote code execution or data exfiltration.
Affected Systems
The vulnerability affects users of GPAC MP4Box version 2.4. No other GPAC versions are listed as impacted, and there are no specific operating system or platform constraints noted in the available data.
Risk and Exploitability
The CVSS score of 5.5 indicates a medium risk level, while the EPSS score of less than 1% suggests that genuine exploitation attempts are currently rare. Because the flaw is triggered by a crafted MP4 file, the likely attack vector is anyone able to supply such a file to a running instance of MP4Box – for example, via a file upload feature or network transfer. The vulnerability is not listed in CISA’s KEV catalog, so it is not known to be actively exploited by threat actors.
OpenCVE Enrichment