CVE-2025-60464 in GPAC
Summary
by MITRE • 06/25/2026
A use-after-free in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 TS file.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability under examination represents a critical use-after-free condition within the GPAC Project's MP4Box software, specifically in the gf_sei_load_from_state_internal function located in the filters/sei_load.c module. This issue affects versions prior to 26.02.0 and demonstrates how improper memory management can lead to system instability and denial of service conditions. The flaw manifests when the application processes specially crafted MPEG-2 TS files, which contain malformed or maliciously constructed data that triggers the vulnerable code path during media processing operations.
The technical implementation of this vulnerability stems from a classic memory safety issue where a pointer reference is accessed after the memory it points to has been freed and potentially reallocated. In the context of video processing software like MP4Box, the gf_sei_load_from_state_internal function handles the loading and parsing of SEI (Supplemental Enhancement Information) data streams within MPEG-2 transport streams. When an attacker supplies a malicious TS file containing crafted SEI data structures, the function fails to properly validate memory references during the state loading process, leading to a situation where freed memory locations are accessed, potentially causing application crashes or system instability.
From an operational perspective, this vulnerability presents significant risk to users of MP4Box and related GPAC tools that process multimedia content. The denial of service condition can be triggered remotely through the simple act of opening or processing a malicious file, making it particularly dangerous in environments where automated media processing occurs. Attackers can exploit this weakness by preparing specially crafted MPEG-2 TS files that contain malformed SEI data, causing MP4Box to crash when attempting to parse the content. The impact extends beyond individual application instability as it can affect automated workflows, media servers, and content processing pipelines that depend on reliable operation of these tools.
The vulnerability aligns with CWE-416, which specifically addresses use-after-free conditions in software implementations, and represents a common pattern in multimedia processing applications where complex parsing logic must handle various input formats while maintaining proper memory management. From an attack framework perspective, this issue maps to several ATT&CK techniques including T1203 (Exploitation for Execution) and T1499 (Endpoint Termination) as it can be leveraged to disrupt system operations through controlled resource exhaustion or application crashes. The vulnerability also demonstrates the importance of proper input validation in multimedia processing frameworks, where malformed content can lead to memory corruption issues that compromise system integrity.
Effective mitigation strategies include immediate deployment of patched versions 26.02.0 and later, which contain the necessary memory management fixes for the vulnerable function. Additionally, implementing restrictive file processing policies that validate media content before ingestion, utilizing sandboxed execution environments for media processing operations, and maintaining regular security updates for multimedia frameworks can significantly reduce exposure to similar vulnerabilities. Organizations should also consider implementing network-level controls that restrict access to potentially malicious media files and establish monitoring protocols to detect unusual application behavior patterns that may indicate exploitation attempts.