CVE-2025-60466 - Vulnerability Details

Analysis

Impact

The vulnerability is a use-after-free in the gf_filter_pid_get_packet function of GPAC Project's MP4Box. An attacker can supply a crafted media file that causes the program to dereference freed memory, leading to a crash and service interruption. This is a classic use-after-free flaw (CWE-416) that compromises the stability of the tool.

Affected Systems

GPAC Project's MP4Box utility before version 26.02.0 is affected. All builds of MP4Box that use the gf_filter_pid_get_packet routine prior to this release are vulnerable.

Risk and Exploitability

The identified risk is a local denial-of-service triggered by processing a carefully designed media file. No EPSS score is available and the vulnerability is not listed in CISA's KEV catalog. Because a malicious file must be provided to the MP4Box process, the attack vector is assumed to be local via crafted input. Without a published CVSS score, the severity remains unknown, but the denial-of-service can disrupt processing pipelines and services that rely on GPAC MP4Box.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to GPAC MP4Box version 26.02.0 or later to eliminate the use‑after‑free flaw.
If updating is not possible, run MP4Box only on files from trusted sources and, if feasible, isolate the utility in a sandbox or virtual machine to contain potential crashes.
Implement monitoring of MP4Box processes for abnormal termination or high resource consumption, and apply rate limiting to the processing of untrusted media files.

Generated by OpenCVE AI on June 25, 2026 at 00:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References

Link	Providers
https://github.com/gpac/gpac/commit/4a7ea06dd1b2cc65fe0dabc60189eb6bc814f7bb
https://github.com/gpac/gpac/issues/3284
https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/35/35_gf_filter_pid_get_packet_filter_core_filter_pid_c_6827
https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/35/README.md
https://infosec.exchange/@sigdevel/116780402249845037

History

Thu, 25 Jun 2026 01:15:00 +0000

Type	Values Removed	Values Added
Title		Use‑After‑Free in GPAC MP4Box Leading to Denial of Service
Weaknesses		CWE-416

Wed, 24 Jun 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		A use-after-free in the gf_filter_pid_get_packet function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
References		https://github.com/gpac/gpac/commit/4a7ea06dd1b2cc65fe0dabc60189eb6bc814f7bb https://github.com/gpac/gpac/issues/3284 https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/35/35_gf_filter_pid_get_packet_filter_core_filter_pid_c_6827 https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/35/README.md https://infosec.exchange/@sigdevel/116780402249845037

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object