Heap Use-After-Free Vulnerability in GPAC Project's MP4Box
CVE-2025-60486

5.5MEDIUM

Key Information:

Vendor: GPAC Project
Status: MP4Box
Vendor: CVE Published:; 1 June 2026

🔔 Create GPAC Project Vulnerability Alert

What is CVE-2025-60486?

The GPAC Project's MP4Box is susceptible to a heap use-after-free vulnerability in the dasher_process function, specifically identified in the dasher.c file. This flaw allows an attacker to craft a specially designed MPEG-2 file, leading to potential Denial of Service (DoS) by exploiting this weakness. Without proper memory management, the application can become unstable, highlighting the critical importance of secure coding practices and timely updates to protect against such attacks.

References

https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931f...

https://github.com/gpac/gpac/issues/3314

https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Bo...

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Sep 26, 2025

CVE-2025-60486 Data

JSON