CVE-2025-60471
Analyzed Analyzed - Analysis Complete

Use-After-Free in GPAC MP4Box Media File Processing

Vulnerability report for CVE-2025-60471, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-29

Assigner: MITRE

Description

A use-after-free in the gf_filter_pid_reconfigure_task_discard function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-29
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gpac gpac to 26.02.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the function gf_filter_pid_reconfigure_task_discard within the GPAC Project's MP4Box software before version 26.02.0. It occurs when the software processes a specially crafted media file, leading to improper memory handling.

Impact Analysis

An attacker can exploit this vulnerability by supplying a crafted media file, which can cause the software to crash or become unavailable, resulting in a Denial of Service (DoS).

Compliance Impact

There is no information provided in the available context or resources about how CVE-2025-60471 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for repeated errors related to MPEG-2 Transport Stream (TS) processing, such as invalid TS packets, unsupported stream types, and broken Program Map Table (PMT) descriptors. These symptoms indicate that a crafted media file is triggering the use-after-free condition in the GPAC framework.

A proof-of-concept demonstrates triggering the vulnerability by processing maliciously crafted MPEG-2 TS files with MP4Box, which leads to these error messages before crashing.

While no explicit detection commands are provided, running MP4Box on suspicious media files and observing for errors like "invalid TS packets" or "broken PMT descriptors" can help identify attempts to exploit this vulnerability.

Mitigation Strategies

To mitigate this vulnerability, the immediate step is to update GPAC/MP4Box to a version that includes the fix for CVE-2025-60471. The fix involves improved memory management in the filter_pid.c file, preventing premature deletion of PID instances and avoiding the use-after-free condition.

Until the update is applied, avoid processing untrusted or suspicious MPEG-2 Transport Stream files that could trigger the vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60471. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart