CVE-2025-60467 - Vulnerability Details

Analysis

Impact

Based on the description, it is inferred that an adversary can trigger a denial of service by supplying a crafted media file. A use‑after‑free flaw exists in the gf_filter_pid_inst_swap_delete_task function within the GPAC Project’s MP4Box component. The vulnerability allows an adversary to crash the media processing tool by supplying a specially crafted media file, resulting in an application or system denial of service.

Affected Systems

The affected product is GPAC MP4Box. Any installation older than version 26.02.0 is potentially vulnerable. No specific vendor or product sub‑listing is available beyond the general GPAC Project designation.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score is not provided, but based on the description it is inferred that the documented impact is a local or remote denial of service, achievable by providing a crafted MP4 file to the gf_filter_pid_inst_swap_delete_task function.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade GPAC MP4Box to version 26.02.0 or later, ensuring the use‑after‑free is patched.
Avoid processing untrusted media files with MP4Box; validate or quarantine files before ingestion.
If immediate upgrade is not possible, limit MP4Box’s exposure by restricting file uploads or disabling network access to the media handling routine.

Generated by OpenCVE AI on June 25, 2026 at 01:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References

Link	Providers
https://github.com/gpac/gpac/commit/976dacf65cb6986a4e4f350fb8d3ed0a17dc3a77
https://github.com/gpac/gpac/issues/3286
https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/37/37_gf_filter_pid_inst_swap_delete_task_filter_core_filter_pid_c_574
https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/37/README.md
https://infosec.exchange/@sigdevel/116780518074911144

History

Thu, 25 Jun 2026 02:15:00 +0000

Type	Values Removed	Values Added
Title		Use-After‑Free Leading to Denial of Service in GPAC MP4Box
Weaknesses		CWE-416

Wed, 24 Jun 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		A use-after-free in the gf_filter_pid_inst_swap_delete_task function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
References		https://github.com/gpac/gpac/commit/976dacf65cb6986a4e4f350fb8d3ed0a17dc3a77 https://github.com/gpac/gpac/issues/3286 https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/37/37_gf_filter_pid_inst_swap_delete_task_filter_core_filter_pid_c_574 https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/37/README.md https://infosec.exchange/@sigdevel/116780518074911144

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object