Impact
The vulnerability is a use‑after‑free fault inside the gf_filter_pid_get_packet function of GPAC's MP4Box program. When the software processes a specially crafted media file, it dereferences memory that has already been freed, causing the process to crash. This flaw is a classic instance of CWE‑416 and results in a denial‑of‑service through program termination.
Affected Systems
GPAC Project's MP4Box utility released before 26.02.0 is affected. Any build of MP4Box that utilizes the gf_filter_pid_get_packet routine in its current state is vulnerable.
Risk and Exploitability
The reported EPSS score of less than 1% indicates a very low likelihood of exploitation under current conditions. The CVSS score of 5.0 classifies the weakness as a moderate severity issue that compromises availability but does not provide privilege escalation or data exposure. Because an attacker must supply a malicious media file, the most probable attack vector is a local or remote process that is fed crafted input. The vulnerability is not listed in CISA's KEV catalog.
OpenCVE Enrichment