Description
A use-after-free in the gf_filter_pid_reconfigure_task_discard function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in the gf_filter_pid_reconfigure_task_discard function of GPAC Project’s MP4Box. When a specially crafted media file is processed, the freed memory can be accessed again, causing the program to crash. The crash disables the MP4Box process, resulting in a denial of service attack that can be triggered by providing the malicious file to the application. The vulnerability is a classic use‑after‑free bug (CWE‑416).

Affected Systems

GPAC Project MP4Box is affected in all releases prior to version 26.02.0. Users running any of those earlier releases that accept media file input are at risk.

Risk and Exploitability

Because the flaw requires the attacker to supply a media file to MP4Box, the attack vector is plausibly local or remote depending on how the application is exposed to untrusted input. The CVSS score is 5.5, indicating a moderate severity. The EPSS score is not published, so the exploit probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. The impact is limited to service availability; there is no evidence of information disclosure or code execution.

Generated by OpenCVE AI on June 24, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GPAC MP4Box to version 26.02.0 or later when the fix is released.
  • When an update is not immediately possible, validate and sanitize any media files before handing them to MP4Box, ensuring only trusted sources are processed.
  • If feasible, run MP4Box inside a hardened sandbox or container with limited privileges to contain crashes and prevent broader system impact.

Generated by OpenCVE AI on June 24, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Use-After-Free in GPAC MP4Box Causing Denial of Service Through Malicious Media File

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Description A use-after-free in the gf_filter_pid_reconfigure_task_discard function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-24T19:37:07.206Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-60471

cve-icon Vulnrichment

Updated: 2026-06-24T19:33:26.515Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T22:00:04Z

Weaknesses