CVE-2025-60468
Analyzed Analyzed - Analysis Complete

Heap Use-After-Free in GPAC MP4Box

Vulnerability report for CVE-2025-60468, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: MITRE

Description

GPAC Multimedia Open Source Project GPAC Project/MP4Box 2.5-DEV-rev1593-gfe88c3545-master is affected by: Buffer Overflow. The impact is: cause a denial of service (local). The component is: filter_core/filter_pid.c (L:574-580): function gf_filter_pid_inst_swap_delete_task() improperly accesses freed objects during PID instance swap/delete cleanup, leading to heap use-after-free. The attack vector is: Local (AV:L): a local, authenticated user who processes a specially crafted MPEG-2 TS/MP4 file with MP4Box can trigger the bug during filter teardown (PID instance swap/delete), causing a crash. ΒΆΒΆ In GPAC s MP4Box, gf_filter_pid_inst_swap_delete_task() in filter_core/filter_pid.c may dereference objects after they have been freed when cleaning up PID instances after a swap/delete operation. Crafted inputs (e.g., malformed MPEG-2 TS) can trigger a heap use-after-free and crash; exploitation may be possible.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gpac gpac to 26.02.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition. A local, authenticated user can cause MP4Box to crash by processing a specially crafted media file, disrupting normal operation. There is also a possibility that the heap use-after-free could be exploited further, potentially leading to more severe consequences, although this is not confirmed.

Executive Summary

This vulnerability exists in the GPAC Multimedia Open Source Project's MP4Box component, specifically in the function gf_filter_pid_inst_swap_delete_task() within filter_core/filter_pid.c. The issue is a buffer overflow caused by improper access to freed memory objects during the cleanup of PID instances after a swap or delete operation. When a local, authenticated user processes a specially crafted MPEG-2 TS or MP4 file with MP4Box, this bug can be triggered during filter teardown, leading to a heap use-after-free condition and causing the program to crash.

Detection Guidance

This vulnerability can be detected by processing specially crafted MPEG-2 TS or MP4 files with GPAC's MP4Box tool and monitoring for crashes or memory errors during PID instance cleanup.

Using debugging tools such as AddressSanitizer can help detect heap use-after-free errors by identifying invalid memory accesses during execution.

A practical approach is to run MP4Box on suspicious or malformed MPEG-2 TS files and observe if the tool crashes or reports memory corruption.

Example command to test a file for the vulnerability (replace <file.ts> with your test file):

  • ASAN_OPTIONS=detect_leaks=1 mp4box -info <file.ts>

This command runs MP4Box with AddressSanitizer enabled to detect use-after-free or heap corruption issues triggered by malformed input.

Mitigation Strategies

The immediate mitigation step is to update GPAC MP4Box to a version that includes the fix for this vulnerability.

The fix involves improved handling of PID instance states during discard and reconfiguration operations to prevent use-after-free conditions.

  • Apply the patch from commit aed9c94e92e8ba362ddb29c767c519478f46f195 which introduces proper discard mode tracking and safer PID instance cleanup.
  • Avoid processing untrusted or malformed MPEG-2 TS or MP4 files with vulnerable versions of MP4Box.

If updating immediately is not possible, restrict local user access to MP4Box or run it in a sandboxed environment to limit potential damage from exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60468. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart