CVE-2025-60466
Received Received - Intake
Use-After-Free in GPAC MP4Box Media File Processing

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: MITRE

Description
A use-after-free in the gf_filter_pid_get_packet function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2025-60466
EUVD
EUVD-2025-210330
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpac mp4box to 26.02.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-60466 is a use-after-free vulnerability in the GPAC project, specifically in the function gf_filter_pid_get_packet within the file filter_core/filter_pid.c. This vulnerability occurs when the software processes media files and the 'inspect' filter attempts to access a Packet ID (PID) object after it has already been freed. This improper handling of memory leads to accessing freed memory, causing memory corruption and crashes.

The issue arises during the processing of crafted media files that trigger this condition, resulting in error messages related to MPEG-2 TS packet sync markers and invalid PMT descriptors.

Impact Analysis

This vulnerability can cause a Denial of Service (DoS) by crashing the application when it processes a specially crafted media file. The use-after-free condition leads to memory corruption, which may cause the program to terminate unexpectedly.

Additionally, there is a potential risk that this memory corruption could be exploited to execute arbitrary code, although the primary confirmed impact is a DoS.

Detection Guidance

This vulnerability can be detected by running MP4Box with a crafted media file that triggers the use-after-free condition in the gf_filter_pid_get_packet function. When triggered, error messages related to MPEG-2 TS packet sync markers and invalid PMT descriptors may appear, indicating the presence of the issue.

A practical detection method involves executing MP4Box on suspicious or untrusted media files and observing for crashes or error messages that indicate memory corruption or invalid packet handling.

  • Run the command: mp4box <crafted_media_file>
  • Monitor output for errors related to MPEG-2 TS packet sync markers or invalid PMT descriptors.
Mitigation Strategies

Immediate mitigation involves updating GPAC/MP4Box to a version that includes the security fix addressing CVE-2025-60466.

The fix includes additional checks in the filter and PID handling code to prevent operations on removed or finalized filters and PIDs, thereby avoiding use-after-free conditions.

  • Apply the patch from commit 4a7ea06dd1b2cc65fe0dabc60189eb6bc814f7bb or upgrade to GPAC version 26.02.0 or later.
  • Avoid processing untrusted or crafted media files with vulnerable versions of MP4Box until patched.
Compliance Impact

The provided information does not include any details about the impact of CVE-2025-60466 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60466. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart