CVE-2025-60471
Received Received - Intake
Use-After-Free in GPAC MP4Box Media File Processing

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: MITRE

Description
A use-after-free in the gf_filter_pid_reconfigure_task_discard function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2025-60471
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpac_project mp4box to 26.02.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the function gf_filter_pid_reconfigure_task_discard within the GPAC Project's MP4Box software before version 26.02.0. It occurs when the software processes a specially crafted media file, leading to improper memory handling.

Impact Analysis

An attacker can exploit this vulnerability by supplying a crafted media file, which can cause the software to crash or become unavailable, resulting in a Denial of Service (DoS).

Compliance Impact

There is no information provided in the available context or resources about how CVE-2025-60471 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for repeated errors related to MPEG-2 Transport Stream (TS) processing, such as invalid TS packets, unsupported stream types, and broken Program Map Table (PMT) descriptors. These symptoms indicate that a crafted media file is triggering the use-after-free condition in the GPAC framework.

A proof-of-concept demonstrates triggering the vulnerability by processing maliciously crafted MPEG-2 TS files with MP4Box, which leads to these error messages before crashing.

While no explicit detection commands are provided, running MP4Box on suspicious media files and observing for errors like "invalid TS packets" or "broken PMT descriptors" can help identify attempts to exploit this vulnerability.

Mitigation Strategies

To mitigate this vulnerability, the immediate step is to update GPAC/MP4Box to a version that includes the fix for CVE-2025-60471. The fix involves improved memory management in the filter_pid.c file, preventing premature deletion of PID instances and avoiding the use-after-free condition.

Until the update is applied, avoid processing untrusted or suspicious MPEG-2 Transport Stream files that could trigger the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60471. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart