PatchSiren cyber security CVE debrief
CVE-2025-60495 GPAC Project CVE debrief
A segmentation violation in the gf_media_get_color_info function within /media_tools/isom_tools.c of GPAC Project/MP4Box before version 26.02.0 allows attackers to cause a Denial of Service (DoS) by supplying a crafted data file. The vulnerability was addressed in a commit to the GPAC repository.
- Vendor
- GPAC Project
- Product
- MP4Box
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations using GPAC Project/MP4Box for media file processing, particularly in automated or user-facing workflows, should prioritize patching to prevent service disruption from maliciously crafted media files.
Technical summary
The vulnerability exists in the gf_media_get_color_info function located in /media_tools/isom_tools.c within the GPAC multimedia framework. When MP4Box processes a specially crafted media file, a segmentation violation occurs, resulting in a denial of service condition. The issue affects all versions prior to 26.02.0. The fix was implemented in commit 9beed3c0a2f38505c745e5376234e7ed66e8e0b1.
Defensive priority
medium
Recommended defensive actions
- Upgrade GPAC Project/MP4Box to version 26.02.0 or later.
- Apply the referenced commit patch if upgrading is not immediately feasible.
- Validate and sanitize media files before processing with MP4Box, particularly files from untrusted sources.
- Monitor for anomalous crashes in MP4Box processes as potential indicators of exploitation attempts.
Evidence notes
The CVE description identifies the vulnerable function and file path. A commit reference is available that appears to contain the fix. An issue report and proof-of-concept documentation are also referenced in the source data.
Official resources
public