Description
A use-after-free in the gf_filter_pid_get_packet function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
Published: 2026-06-24
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free fault inside the gf_filter_pid_get_packet function of GPAC's MP4Box program. When the software processes a specially crafted media file, it dereferences memory that has already been freed, causing the process to crash. This flaw is a classic instance of CWE‑416 and results in a denial‑of‑service through program termination.

Affected Systems

GPAC Project's MP4Box utility released before 26.02.0 is affected. Any build of MP4Box that utilizes the gf_filter_pid_get_packet routine in its current state is vulnerable.

Risk and Exploitability

The reported EPSS score of less than 1% indicates a very low likelihood of exploitation under current conditions. The CVSS score of 5.0 classifies the weakness as a moderate severity issue that compromises availability but does not provide privilege escalation or data exposure. Because an attacker must supply a malicious media file, the most probable attack vector is a local or remote process that is fed crafted input. The vulnerability is not listed in CISA's KEV catalog.

Generated by OpenCVE AI on June 25, 2026 at 17:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GPAC MP4Box to version 26.02.0 or later to eliminate the use‑after‑free flaw.
  • If an upgrade is not immediately possible, process only media files from trusted sources and consider running MP4Box inside a sandbox or isolated environment.
  • Add monitoring for if the MP4Box process exits unexpectedly or consumes excessive resources, and throttle the rate at which untrusted media files are processed.

Generated by OpenCVE AI on June 25, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in GPAC MP4Box Leading to Denial of Service

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Thu, 25 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free in GPAC MP4Box Leading to Denial of Service
Weaknesses CWE-416

Wed, 24 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description A use-after-free in the gf_filter_pid_get_packet function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-27T05:18:12.694Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-60466

cve-icon Vulnrichment

Updated: 2026-06-27T05:18:12.694Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T17:15:15Z

Weaknesses