CVE-2025-60486
Heap Use-After-Free in GPAC MP4Box via MPEG-2 File
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | mp4box | 26.02.0 |
| gpac | mp4box | to 26.02.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate the heap use-after-free vulnerability in GPAC Project/MP4Box before version 26.02.0, you should update to the latest version of GPAC where the issue has been addressed.
The vulnerability is caused by improper memory management in the dasher module when processing crafted MPEG-2 Transport Stream files. Applying the patch that fixes memory handling in filters/dasher.c and related files will prevent exploitation.
If immediate updating is not possible, avoid processing untrusted or malicious MPEG-2 files with MP4Box, especially those that might contain corrupted Program Map Table descriptors or repeated sync marker violations.
Can you explain this vulnerability to me?
CVE-2025-60486 is a heap use-after-free vulnerability in the dasher_process function within the filters/dasher.c file of the GPAC Project's MP4Box software before version 26.02.0.
This vulnerability occurs when processing maliciously crafted MPEG-2 Transport Stream files that contain corrupted Program Map Table (PMT) descriptors and repeated sync marker violations. Specifically, the dasher module improperly manages memory for PID contexts: a PID context is freed in the dasher_configure_pid() function but its pointer is later accessed in dasher_process(), leading to a use-after-free condition.
This memory mismanagement can cause the program to access freed heap memory, which is a serious programming error that can lead to crashes or other unpredictable behavior.
How can this vulnerability impact me? :
This vulnerability can be exploited by attackers supplying a crafted MPEG-2 file to the vulnerable MP4Box software.
The primary impact is a Denial of Service (DoS), where the application crashes or becomes unstable due to the heap use-after-free error.
Such a crash could disrupt media processing workflows or services relying on GPAC's MP4Box, potentially causing downtime or loss of availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by processing a crafted MPEG-2 Transport Stream (TS) file that triggers the heap use-after-free in the dasher_process function of GPAC's MP4Box.
A specific command to reproduce and detect the issue is:
- ./MP4Box -dash 100 53_dasher_process_filters_dasher_c_9445
This command processes the corrupted TS file and exposes the memory corruption issue related to the vulnerability.