CVE-2025-60468 in GPAC
Summary
by MITRE • 06/25/2026
GPAC Multimedia Open Source Project GPAC Project/MP4Box 2.5-DEV-rev1593-gfe88c3545-master is affected by: Buffer Overflow. The impact is: cause a denial of service (local). The component is: filter_core/filter_pid.c (L:574-580): function gf_filter_pid_inst_swap_delete_task() improperly accesses freed objects during PID instance swap/delete cleanup, leading to heap use-after-free. The attack vector is: Local (AV:L): a local, authenticated user who processes a specially crafted MPEG-2 TS/MP4 file with MP4Box can trigger the bug during filter teardown (PID instance swap/delete), causing a crash. ¶¶ In GPAC s MP4Box, gf_filter_pid_inst_swap_delete_task() in filter_core/filter_pid.c may dereference objects after they have been freed when cleaning up PID instances after a swap/delete operation. Crafted inputs (e.g., malformed MPEG-2 TS) can trigger a heap use-after-free and crash; exploitation may be possible.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability under consideration affects the GPAC Multimedia Open Source Project's MP4Box component version 2.5-DEV-rev1593-gfe88c3545-master, specifically within the filter_core/filter_pid.c file at lines 574-580. This represents a critical buffer overflow condition that manifests as a heap use-after-free vulnerability during the cleanup phase of PID instance swapping and deletion operations. The flaw occurs when the gf_filter_pid_inst_swap_delete_task() function attempts to access memory objects that have already been freed, creating an exploitable condition that can lead to system instability.
The technical implementation of this vulnerability stems from improper memory management practices within the filter teardown process. During normal operation, MP4Box processes multimedia files including MPEG-2 TS and MP4 formats through its filtering infrastructure. When a PID instance swap or delete operation occurs, the system attempts to clean up previously allocated resources but fails to properly manage object lifecycles. The function gf_filter_pid_inst_swap_delete_task() executes a sequence of operations that ultimately results in accessing memory locations that have been deallocated, creating a use-after-free condition that can be triggered through malformed input files.
This vulnerability presents significant operational risks for systems utilizing MP4Box for multimedia processing, particularly in environments where untrusted input files are processed. The local attack vector means that an authenticated user with the ability to process specially crafted MPEG-2 TS or MP4 files can exploit this weakness to cause a denial of service condition through system crashes. The heap use-after-free condition creates unpredictable behavior that can result in program termination, memory corruption, or potentially more severe consequences depending on the execution environment and memory layout.
The impact extends beyond simple denial of service as this vulnerability could potentially be leveraged for more sophisticated attacks if proper exploit mitigations are not in place. According to CWE standards, this corresponds to CWE-416 Use After Free, which represents a well-documented class of vulnerabilities that occur when program code continues to reference memory after it has been freed. The ATT&CK framework would categorize this as a privilege escalation or denial of service technique that could be used by local attackers to disrupt system services, with potential for further exploitation if additional vulnerabilities exist in the memory management subsystem.
Mitigation strategies should focus on implementing proper memory lifecycle management within the affected function and ensuring that all object references are properly invalidated after deallocation. System administrators should consider immediate updates to MP4Box when patched versions become available, as well as implementing input validation measures to prevent processing of malformed multimedia files. Additionally, deploying memory safety tools such as address sanitizers or heap profilers during development and testing phases can help identify similar vulnerabilities before they can be exploited in production environments. Organizations should also consider restricting local user privileges for MP4Box operations and implementing monitoring solutions to detect potential exploitation attempts through system crash patterns or unusual resource consumption.