CVE-2025-60465 in GPAC
Summary
by MITRE • 06/25/2026
A use-after-free in the gf_filter_pid_inst_swap function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability under examination represents a critical use-after-free condition within the GPAC Project's MP4Box utility, specifically within the gf_filter_pid_inst_swap function located in the filter_core/filter_pid.c source file. This flaw exists in versions prior to 26.02.0 and fundamentally stems from improper memory management practices where freed memory locations are accessed after being deallocated. The vulnerability manifests when processing crafted media files that trigger the specific code path involving PID (Packet Identifier) instance swapping operations. Such use-after-free conditions are particularly dangerous because they can lead to unpredictable behavior including application crashes, denial of service scenarios, or potentially more severe exploits if the freed memory is subsequently reallocated for malicious purposes.
The technical implementation of this vulnerability occurs during the normal processing flow of media files where the gf_filter_pid_inst_swap function handles the swapping of packet identifier instances within the filter core subsystem. When an attacker supplies a maliciously crafted media file, the parsing logic triggers the problematic code path that leads to the freeing of memory resources associated with PID instances without proper nullification or validation checks. Subsequent operations attempt to access this now-freed memory space, causing the application to crash or behave unpredictably. The vulnerability classifies as CWE-416 which specifically addresses Use After Free conditions where program code continues to reference memory after it has been freed by the system. This type of flaw represents a fundamental memory safety issue that violates secure coding practices and demonstrates inadequate resource management within the media processing pipeline.
The operational impact of this vulnerability extends beyond simple denial of service scenarios, as it can be exploited by attackers to disrupt legitimate media processing operations within applications that rely on GPAC's MP4Box functionality. Systems utilizing this software for video processing, streaming, or content management may experience unexpected termination when encountering maliciously crafted media files, potentially leading to service disruption for end users. The vulnerability is particularly concerning in automated environments where media files are processed without manual intervention, as attackers could systematically cause service degradation by submitting specially crafted files that trigger the memory corruption. From an attacker perspective, this represents a low-effort method for achieving denial of service against systems that process multimedia content through the affected software stack.
Mitigation strategies for this vulnerability require immediate patching to version 26.02.0 or later where the use-after-free condition has been addressed through proper memory management practices. Organizations should implement comprehensive media file validation and sanitization procedures before processing files through GPAC-based applications, including signature verification and format compliance checks to prevent exploitation. Network-level protections such as content filtering solutions can help block suspicious media files at ingress points while application-level hardening measures including stack canaries, address space layout randomization, and memory protection mechanisms should be enabled to reduce exploitability. Regular security assessments of media processing pipelines and adherence to secure coding standards including those specified in the Software Security Development Lifecycle framework will help prevent similar vulnerabilities from emerging in future releases. The ATT&CK framework categorizes this vulnerability under the T1499.004 technique for Network Denial of Service, emphasizing the importance of robust input validation and memory safety practices in multimedia processing applications.