Description
A use-after-free in the gf_filter_pid_inst_swap function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
Published: 2026-06-25
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free condition (CWE-416) within the gf_filter_pid_inst_swap function of GPAC Project/MP4Box. When a specially crafted media file is processed, the function dereferences freed memory, causing the program to crash. This results in a denial of service, disrupting any service or workflow that relies on MP4Box.

Affected Systems

The affected product is GPAC Project's MP4Box utility. All versions earlier than 26.02.0 are vulnerable. No other vendors or product versions are affected according to the available data.

Risk and Exploitability

The flaw is local to the environment where MP4Box runs; an attacker must supply a crafted media file that triggers the use‑after‑free. Exploitation causes the program to crash, producing a denial of service that interrupts any processing pipelines utilizing MP4Box. The CV6.1 indicates moderate severity, the EPSS score of <1% suggests a low likelihood of exploitation, and the issue is not listed in the CISA KEV catalog. No remote code execution or data disclosure is possible through this flaw.

Generated by OpenCVE AI on June 26, 2026 at 18:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GPAC MP4Box to version 26.02.0 or newer
  • If an upgrade is not possible, avoid running MP4Box on untrusted media or execute it in a sandboxed environment to contain potential exploitation attempts
  • Deploy a watchdog or monitoring mechanism to automatically restart MP4Box if it crashes, ensuring workflow continuity

Generated by OpenCVE AI on June 26, 2026 at 18:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Title Use-After-Free in GPAC MP4Box Leading to Denial of Service

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Thu, 25 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Use-After-Free in GPAC MP4Box Leading to Denial of Service
Weaknesses CWE-416

Thu, 25 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description A use-after-free in the gf_filter_pid_inst_swap function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-27T05:18:11.398Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-60465

cve-icon Vulnrichment

Updated: 2026-06-27T05:18:11.398Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:15:04Z

Weaknesses