Impact
The reported flaw is a heap use‑after‑free bug in the gf_node_get_tag function of GPAC MP4Box version 2.4. When an attacker supplies a specially crafted MP4 file, the vulnerable function accesses freed memory, causing the application to crash. Attackers can therefore force a denial of service whenever the MP4Box tool processes the malformed media. The weakness is a classic memory management error identified as CWE‑416, which leads to integrity and availability impact but not confidentiality compromise.
Affected Systems
Affected systems include installations of GPAC MP4Box at version 2.4. The CPE identifier lists the generic product, and no other product or vendor is explicitly noted. Existing deployments running the affected version, unless patched, are susceptible. The description does not mention earlier releases, so the scope is limited to the stated version unless further evidence appears.
Risk and Exploitability
The CVSS score of 5.5 indicates a moderate severity. The EPSS score of less than 1% shows that exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog, so there is no confirmed public exploitation. Given that the flaw requires an attacker to supply a media file to MP4Box, the attack vector is most likely local or requires the attacker to be able to upload or otherwise supply the crafted file to the system running MP4Box. Consequently, the risk is moderate but still actionable.
OpenCVE Enrichment