Description
A heap use-after-free in the dasher_process function (/filters/dasher.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 file.
Published: 2026-06-01
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap use‑after‑free in the dasher_process function of GPAC Project’s MP4Box, present in all releases prior to version 26.02.0. A crafted MPEG‑2 file can trigger a read or write to freed memory, causing MP4Box to crash and stop processing input streams, thus leading to a denial‑of‑service situation. This flaw is classified as CWE‑416.

Affected Systems

GPAC Project MP4Box versions before 26.02.0, including all minor releases up to that date, are affected. Users of the open‑source MP4Box tool should verify they are running a version not earlier than 26.02.0. No specific cnas or vendors are listed for this vulnerability, but the product name is 'GPAC Project MP4Box'.

Risk and Exploitability

The CVSS score is not publicly available, and the EPSS score is not disclosed, so precise quantitative risk is unknown. The vulnerability requires the ability to provide a malicious MPEG‑2 file to MP4Box, implying a local or file‑based attack vector; remote exploitation is not indicated. Because the impact is a crash rather than data disclosure or code execution, the threat is primarily to availability rather than confidentiality or integrity. The lack of listing in CISA's KEV catalog suggests that widespread exploitation has not yet been reported.

Generated by OpenCVE AI on June 1, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MP4Box to version 26.02.0 or later, which contains the fix for the dasher_process heap use‑after‑free.
  • If an upgrade is not immediately feasible, restrict the execution of MP4Box to trusted files and networks and monitor for crashes.
  • When a vendor patch becomes available, apply it promptly, following vendor instructions.

Generated by OpenCVE AI on June 1, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Heap Use‑After‑Free in MP4Box dasher_process Leads to Denial of Service with Crafted MPEG‑2 Files
First Time appeared Gpac
Gpac mp4box
Weaknesses CWE-416
Vendors & Products Gpac
Gpac mp4box

Mon, 01 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A heap use-after-free in the dasher_process function (/filters/dasher.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 file.
References

Subscriptions

Gpac Mp4box
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-01T16:40:31.298Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-60486

cve-icon Vulnrichment

Updated: 2026-06-01T16:40:13.590Z

cve-icon NVD

Status : Received

Published: 2026-06-01T15:16:28.753

Modified: 2026-06-01T17:16:37.490

Link: CVE-2025-60486

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T16:30:06Z

Weaknesses