CVE-2025-60465 - Vulnerability Details

Analysis

Impact

The vulnerability is a use‑after‑free condition in the gf_filter_pid_inst_swap function of GPAC Project/MP4Box. When the function processes a specially crafted media file, it dereferences freed memory, causing the program to crash. This results in a denial of service, disrupting any service or workflow that relies on MP4Box.

Affected Systems

The affected product is GPAC Project's MP4Box utility. Any version earlier than 26.02.0 is vulnerable. No other vendor or product versions are affected according to the available data.

Risk and Exploitability

The vulnerability is local to the environment running MP4Box; it requires the attacker to supply a crafted media file to the tool. The EPSS score is not available, and the vulnerability has not been listed in the CISA KEV catalog, indicating a low to moderate risk of exploitation at present. Exploitation would lead to a crash and potential downtime but does not provide remote code execution or data disclosure.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update GPAC MP4Box to version 26.02.0 or later
If an upgrade is not possible, avoid running MP4Box on un execute it in a sandboxed environment
Monitor for crash logs and treat them as indicators of potential exploitation attempts

Generated by OpenCVE AI on June 25, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References

Link	Providers
https://github.com/gpac/gpac/commit/55b351bd078c950592544ab4c708a613c1725b9b
https://github.com/gpac/gpac/issues/3283
https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/34/34_gf_filter_pid_inst_swap_filter_core_filter_pid_c_633
https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/34/README.md
https://infosec.exchange/@sigdevel/116778494176930561

History

Thu, 25 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
Title		Use-After-Free in GPAC MP4Box Leading to Denial of Service
Weaknesses		CWE-416

Thu, 25 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		A use-after-free in the gf_filter_pid_inst_swap function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
References		https://github.com/gpac/gpac/commit/55b351bd078c950592544ab4c708a613c1725b9b https://github.com/gpac/gpac/issues/3283 https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/34/34_gf_filter_pid_inst_swap_filter_core_filter_pid_c_633 https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/34/README.md https://infosec.exchange/@sigdevel/116778494176930561

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object