Impact
The vulnerability is a use‑after‑free condition (CWE-416) within the gf_filter_pid_inst_swap function of GPAC Project/MP4Box. When a specially crafted media file is processed, the function dereferences freed memory, causing the program to crash. This results in a denial of service, disrupting any service or workflow that relies on MP4Box.
Affected Systems
The affected product is GPAC Project's MP4Box utility. All versions earlier than 26.02.0 are vulnerable. No other vendors or product versions are affected according to the available data.
Risk and Exploitability
The flaw is local to the environment where MP4Box runs; an attacker must supply a crafted media file that triggers the use‑after‑free. Exploitation causes the program to crash, producing a denial of service that interrupts any processing pipelines utilizing MP4Box. The CV6.1 indicates moderate severity, the EPSS score of <1% suggests a low likelihood of exploitation, and the issue is not listed in the CISA KEV catalog. No remote code execution or data disclosure is possible through this flaw.
OpenCVE Enrichment