CVE-2025-60464 - Vulnerability Details

Analysis

Impact

A use‑after‑free bug has been identified in the gf_sei_load_from_state_internal function of the GPAC MP4Box tool. The flaw allows an attacker to supply a specially crafted MPEG‑2 transport‑stream file that triggers the memory corruption, causing the application to crash. The result is a denial of service, preventing legitimate users from processing media files.

Affected Systems

The vulnerability affects the GPAC Project's MP4Box utility in all releases prior to version 26.02.0. No other vendors or products have been listed as affected by this issue.

Risk and Exploitability

The flaw carries a high severity impact as a failure to recover from the corrupted state will terminate MP4Box, rendering it unusable until restarted. No official CVSS score or EPSS probability is published, and the vulnerability is not currently included in CISA's KEV catalogue. The likely attack vector involves an attacker providing the crafted MPEG‑2 TS file to a run‑time instance of MP4Box, whether locally or via a network service that accepts media inputs. Because the exploitation hinges on delivering a specific file, the risk is moderate to high depending on the exposure of the MP4Box interface.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade GPAC MP4Box to version 26.02.0 or later, which contains a fixed implementation of gf_sei_load_from_state_internal.
Restrict the use of MP4Box to trusted users and sanitize input files by verifying integrity before processing.
Monitor logs for repeated crashes or hanging instances of MP4Box and investigate any unusual input patterns.

Generated by OpenCVE AI on June 25, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References

Link	Providers
https://github.com/gpac/gpac/commit/8f404bd581e455267482f86272169a742f654b97
https://github.com/gpac/gpac/issues/3278
https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/32/32_filters_sei_load_c_225_in_gf_sei_load_from_state_internal
https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/32/README.md
https://infosec.exchange/@sigdevel/116778370895014131

History

Thu, 25 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
Title		Use‑After‑Free in GPAC MP4Box SEI Load Function Leads to Denial of Service
Weaknesses		CWE-416

Thu, 25 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		A use-after-free in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 TS file.
References		https://github.com/gpac/gpac/commit/8f404bd581e455267482f86272169a742f654b97 https://github.com/gpac/gpac/issues/3278 https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/32/32_filters_sei_load_c_225_in_gf_sei_load_from_state_internal https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/32/README.md https://infosec.exchange/@sigdevel/116778370895014131

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object