Description
A use-after-free in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 TS file.
Published: 2026-06-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free bug has been identified in the gf_sei_load_from_state_internal function of the GPAC MP4Box tool. The flaw allows an attacker to supply a specially crafted MPEG‑2 transport‑stream file that triggers crash. The result is a denial of service, preventing legitimate users from processing media files.

Affected Systems

The vulnerability affects the GPAC Project's MP4Box utility in all releases prior to version 26.02.0. No other vendors or products have been listed as affected by this issue.

Risk and Exploitability

The flaw carries a high severity impact as a failure to recover from the corrupted state will terminate MP4Box, rendering it unusable until restarted. The CVSS score is 7.8 and the EPSS probability is < 1%; the vulnerability is not currently listed in CISA's KEV catalogue. The likely attack vector involves an attacker providing the crafted MPEG‑2 TS file to a run‑time instance of MP4Box, whether locally or via a network service that accepts media inputs. Because the exploitation hinges on delivering a specific file, the risk is moderate to high depending on the exposure of the MP4Box interface.

Generated by OpenCVE AI on June 26, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GPAC MP4Box to version 26.02.0 implementation of gf_sei_load_from_state_internal.
  • Restrict the use of MP4Box to trusted users and sanitize input files by verifying integrity before processing.
  • Monitor logs for repeated crashes or hanging instances of MP4Box and investigate any unusual input patterns.

Generated by OpenCVE AI on June 26, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in GPAC MP4Box SEI Load Function Leads to Denial of Service

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Thu, 25 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in GPAC MP4Box SEI Load Function Leads to Denial of Service
Weaknesses CWE-416

Thu, 25 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description A use-after-free in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 TS file.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-26T18:36:13.799Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-60464

cve-icon Vulnrichment

Updated: 2026-06-26T18:36:13.799Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:00:04Z

Weaknesses