CVE-2025-60486
Deferred Deferred - Pending Action
Heap Use-After-Free in GPAC MP4Box via MPEG-2 File

Publication date: 2026-06-01

Last updated on: 2026-06-02

Assigner: MITRE

Description
A heap use-after-free in the dasher_process function (/filters/dasher.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-02
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2025-60486
EUVD
EUVD-2025-210006
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
gpac mp4box 26.02.0
gpac mp4box to 26.02.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-60486 is a heap use-after-free vulnerability in the dasher_process function within the filters/dasher.c file of the GPAC Project's MP4Box software before version 26.02.0.

This vulnerability occurs when processing maliciously crafted MPEG-2 Transport Stream files that contain corrupted Program Map Table (PMT) descriptors and repeated sync marker violations. Specifically, the dasher module improperly manages memory for PID contexts: a PID context is freed in the dasher_configure_pid() function but its pointer is later accessed in dasher_process(), leading to a use-after-free condition.

This memory mismanagement can cause the program to access freed heap memory, which is a serious programming error that can lead to crashes or other unpredictable behavior.

Mitigation Strategies

To mitigate the heap use-after-free vulnerability in GPAC Project/MP4Box before version 26.02.0, you should update to the latest version of GPAC where the issue has been addressed.

The vulnerability is caused by improper memory management in the dasher module when processing crafted MPEG-2 Transport Stream files. Applying the patch that fixes memory handling in filters/dasher.c and related files will prevent exploitation.

If immediate updating is not possible, avoid processing untrusted or malicious MPEG-2 files with MP4Box, especially those that might contain corrupted Program Map Table descriptors or repeated sync marker violations.

Compliance Impact

The vulnerability described is a heap use-after-free in the GPAC Project/MP4Box that allows an attacker to cause a Denial of Service (DoS) by supplying a crafted MPEG-2 file.

There is no information provided in the available context or resources about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can be exploited by attackers supplying a crafted MPEG-2 file to the vulnerable MP4Box software.

The primary impact is a Denial of Service (DoS), where the application crashes or becomes unstable due to the heap use-after-free error.

Such a crash could disrupt media processing workflows or services relying on GPAC's MP4Box, potentially causing downtime or loss of availability.

Detection Guidance

This vulnerability can be detected by processing a crafted MPEG-2 Transport Stream (TS) file that triggers the heap use-after-free in the dasher_process function of GPAC's MP4Box.

A specific command to reproduce and detect the issue is:

  • ./MP4Box -dash 100 53_dasher_process_filters_dasher_c_9445

This command processes the corrupted TS file and exposes the memory corruption issue related to the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60486. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart