Description
GPAC Multimedia Open Source Project GPAC Project/MP4Box 2.5-DEV-rev1593-gfe88c3545-master is affected by: Buffer Overflow. The impact is: cause a denial of service (local). The component is: filter_core/filter_pid.c (L:574-580): function gf_filter_pid_inst_swap_delete_task() improperly accesses freed objects during PID instance swap/delete cleanup, leading to heap use-after-free. The attack vector is: Local (AV:L): a local, authenticated user who processes a specially crafted MPEG-2 TS/MP4 file with MP4Box can trigger the bug during filter teardown (PID instance swap/delete), causing a crash. ¶¶ In GPAC s MP4Box, gf_filter_pid_inst_swap_delete_task() in filter_core/filter_pid.c may dereference objects after they have been freed when cleaning up PID instances after a swap/delete operation. Crafted inputs (e.g., malformed MPEG-2 TS) can trigger a heap use-after-free and crash; exploitation may be possible.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the filter_core/filter_pid.c file of GPAC MP4Box, where the function gf_filter_pid_inst_swap_delete_task improperly accesses freed objects during cleanup after a PID instance swap or delete operation. This improper access results in a heap use‑after‑free that can be triggered by a specially crafted MPEG‑2 TS or MP4 file, causing the application to crash. The weakness is a classic buffer overflow/use‑after‑free scenario that undermines the integrity of the media processing pipeline and can be exploited locally by a user with permission to execute MP4Box on a crafted media file.

Affected Systems

Affected is the GPAC Multimedia Open Source Project, specifically the MP4Box component. The affected version is 2.5‑DEV‑rev1593‑gfe88c3545‑master. No other vendors or product lines are listed.

Risk and Exploitability

The flaw can be exploited locally by a user who has permission to execute MP4Box with a specially crafted media file. Based on the description, the likely attack vector is local, authenticated execution of MP4Box with a crafted MPEG‑2 TS or MP4 file. No remote exploitation vector is known. Because the vulnerability is limited to the host machine, a malicious file supplied via untrusted media would be required. The EPSS score is < 1% and the CVSS score of 5.5 indicate a low probability of exploitation and moderate severity, respectively, but the presence of a heap use‑after‑free and lack of remote code execution suggest a moderate to high risk for systems relying on MP4Box for unattended media processing.

Generated by OpenCVE AI on June 25, 2026 at 18:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the upstream patch from commit 976dacf65cb6986a4e4f350fb8d3ed0a17dc3a77 that addresses the heap use‑after‑free in gf_filter_pid_inst_swap_delete_task.
  • If the patch is not yet available, avoid processing untrusted MPEG‑2 TS or MP4 files with the current MP4Box build, or run the program in a sandboxed environment to contain crashes.
  • Upgrade to a newer release of GPAC MP4Box that contains the fix, or monitor the project’s repository and pull requests for an updated version.
  • As a temporary workaround, disable or exclude the filter_pid feature from the build if it is not required for your workflow.

Generated by OpenCVE AI on June 25, 2026 at 18:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Title GPAC MP4Box Heap Use‑After‑Free via PID Instance Swap/Delete

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Buffer Overflow Causing Local Denial of Service in GPAC MP4Box
Weaknesses CWE-416

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac mp4box
Vendors & Products Gpac
Gpac mp4box

Thu, 25 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Title Buffer Overflow Causing Local Denial of Service in GPAC MP4Box
Weaknesses CWE-122
CWE-416

Wed, 24 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Description GPAC Multimedia Open Source Project GPAC Project/MP4Box 2.5-DEV-rev1593-gfe88c3545-master is affected by: Buffer Overflow. The impact is: cause a denial of service (local). The component is: filter_core/filter_pid.c (L:574-580): function gf_filter_pid_inst_swap_delete_task() improperly accesses freed objects during PID instance swap/delete cleanup, leading to heap use-after-free. The attack vector is: Local (AV:L): a local, authenticated user who processes a specially crafted MPEG-2 TS/MP4 file with MP4Box can trigger the bug during filter teardown (PID instance swap/delete), causing a crash. ¶¶ In GPAC s MP4Box, gf_filter_pid_inst_swap_delete_task() in filter_core/filter_pid.c may dereference objects after they have been freed when cleaning up PID instances after a swap/delete operation. Crafted inputs (e.g., malformed MPEG-2 TS) can trigger a heap use-after-free and crash; exploitation may be possible.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-25T13:33:58.397Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-60468

cve-icon Vulnrichment

Updated: 2026-06-25T13:31:11.373Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T18:15:04Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow