CVE-2025-60467
Received Received - Intake
Use-After-Free in GPAC MP4Box Prior to 26.02.0

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: MITRE

Description
A use-after-free in the gf_filter_pid_inst_swap_delete_task function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2025-60467
EUVD
EUVD-2025-210331
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpac_project mp4box to 26.02.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the function gf_filter_pid_inst_swap_delete_task within the GPAC Project's MP4Box software before version 26.02.0. It occurs when the software improperly handles memory, allowing attackers to exploit this flaw by supplying a specially crafted media file.

Impact Analysis

Exploiting this vulnerability can cause a Denial of Service (DoS) condition, meaning the affected software may crash or become unresponsive when processing a maliciously crafted media file.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60467. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart