Description
A heap use-after-free in the gf_node_get_tag function (scenegraph/base_scenegraph.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Published: 2026-06-15
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The reported flaw is a heap use‑after‑free bug in the gf_node_get_tag function of GPAC MP4Box version 2.4. When an attacker supplies a specially crafted MP4 file, the vulnerable function accesses freed memory, causing the application to crash. Attackers can therefore force a denial of service whenever the MP4Box tool processes the malformed media. The weakness is a classic memory management error identified as CWE‑416, which leads to integrity and availability impact but not confidentiality compromise.

Affected Systems

Affected systems include installations of GPAC MP4Box at version 2.4. The CPE identifier lists the generic product, and no other product or vendor is explicitly noted. Existing deployments running the affected version, unless patched, are susceptible. The description does not mention earlier releases, so the scope is limited to the stated version unless further evidence appears.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity. The EPSS score of less than 1% shows that exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog, so there is no confirmed public exploitation. Given that the flaw requires an attacker to supply a media file to MP4Box, the attack vector is most likely local or requires the attacker to be able to upload or otherwise supply the crafted file to the system running MP4Box. Consequently, the risk is moderate but still actionable.

Generated by OpenCVE AI on June 18, 2026 at 01:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GPAC MP4Box to a patched version or a newer release that resolves the heap use‑after‑free bug.
  • Restrict the handling of MP4 files from untrusted sources; validate or sanitize input before passing it to MP4Box.
  • Run MP4Box under least‑privilege privileges or in a sandboxed environment to contain any crashes that could affect other system components or data.

Generated by OpenCVE AI on June 18, 2026 at 01:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Heap Use‑After‑Free in GPAC MP4Box 2.4 Leads to Denial of Service

Tue, 16 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Heap Use‑After‑Free in GPAC MP4Box 2.4 Leads to Denial of Service

Tue, 16 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Gpac gpac
CPEs cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*
Vendors & Products Gpac gpac

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Mon, 15 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description A heap use-after-free in the gf_node_get_tag function (scenegraph/base_scenegraph.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-15T20:14:21.715Z

Reserved: 2025-08-13T00:00:00.000Z

Link: CVE-2025-55650

cve-icon Vulnrichment

Updated: 2026-06-15T19:22:04.094Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-15T20:16:24.030

Modified: 2026-06-16T17:39:49.587

Link: CVE-2025-55650

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T02:00:05Z

Weaknesses