Description
A use-after-free in the gf_filter_pid_inst_swap_delete_task function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, it is inferred that an adversary can trigger a denial of service by supplying a crafted media file. A use‑after‑free flaw exists in the gf_filter_pid_inst_swap_delete_task function within the GPAC Project’s MP4Box component. The vulnerability allows an adversary to crash the media processing tool by supplying a specially crafted media file, resulting in an application or system denial of service.

Affected Systems

The affected product is GPAC MP4Box. Any installation older than version 26.02.0 is potentially vulnerable. No specific vendor or product sub‑listing is available beyond the general GPAC Project designation.

Risk and Exploitability

The EPSS score indicates that exploitation probability is low, at less than 1%. The CVSS score of 7.5 reflects a significant potential for Denial of Service. Although it is not listed in the CISA KEV catalog, the flaw remains exploitable through crafted media files processed by the gf_filter_pid_inst_swap_delete_task function. The likely attack vector is supplying a crafted media file to the processing tool, which may be executed remotely if the tool is exposed to untrusted input.

Generated by OpenCVE AI on June 25, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GPAC MP4Box to version 26.02.0 or later, ensuring the use‑after‑free is patched.
  • Avoid processing untrusted media files with MP4Box; validate or quarantine files before ingestion.
  • If immediate upgrade is not possible, limit MP4Box’s exposure by restricting file uploads or disabling network access to the media handling routine.

Generated by OpenCVE AI on June 25, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Use-After‑Free Leading to Denial of Service in GPAC MP4Box

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Thu, 25 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Use-After‑Free Leading to Denial of Service in GPAC MP4Box
Weaknesses CWE-416

Wed, 24 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description A use-after-free in the gf_filter_pid_inst_swap_delete_task function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-27T05:18:14.010Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-60467

cve-icon Vulnrichment

Updated: 2026-06-27T05:18:14.010Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:00:12Z

Weaknesses