PatchSiren cyber security CVE debrief
CVE-2025-60465 GPAC CVE debrief
CVE-2025-60465 is a use-after-free vulnerability in the gf_filter_pid_inst_swap function of GPAC Project/MP4Box before 26.02.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file. The vulnerability has a CVSS score of 6.1 and a severity of MEDIUM. The CVE was published on 2026-06-25T20:17:08.673Z and last modified on 2026-06-30T19:03:42.293Z. The vendor, GPAC, has released a patch for this vulnerability.
- Vendor
- GPAC
- Product
- MP4Box
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-25
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-06-25
- Advisory updated
- 2026-06-30
Who should care
Organizations using GPAC Project/MP4Box before 26.02.0 should prioritize patching this vulnerability to prevent potential Denial of Service (DoS) attacks. Additionally, security teams and administrators responsible for media file processing and GPAC Project/MP4Box deployments should be aware of this vulnerability and take necessary precautions.
Technical summary
The vulnerability is a use-after-free issue in the gf_filter_pid_inst_swap function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0. This allows attackers to cause a Denial of Service (DoS) by supplying a crafted media file. The CVSS vector for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N, indicating a Medium severity. The weakness associated with this vulnerability is CWE-416.
Defensive priority
Patching this vulnerability is of high priority to prevent potential Denial of Service (DoS) attacks. Administrators should update GPAC Project/MP4Box to version 26.02.0 or later.
Recommended defensive actions
- Patch GPAC Project/MP4Box to version 26.02.0 or later
- Restrict access to media file processing to trusted sources
- Implement monitoring and logging to detect potential attacks
- Conduct regular vulnerability assessments and penetration testing
- Consider implementing compensating controls, such as Web Application Firewalls (WAFs)
Evidence notes
The CVE-2025-60465 vulnerability was published on 2026-06-25T20:17:08.673Z and last modified on 2026-06-30T19:03:42.293Z. The vulnerability has a CVSS score of 6.1 and a severity of MEDIUM. The vendor, GPAC, has released a patch for this vulnerability. There are multiple references and resources available, including a patch and issue tracking information.
Official resources
-
CVE-2025-60465 CVE record
CVE.org
-
CVE-2025-60465 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Source reference
[email protected] - Exploit, Issue Tracking
-
Source reference
[email protected] - Exploit
-
Source reference
[email protected] - Exploit
-
Mitigation or vendor reference
[email protected] - Exploit, Patch, Third Party Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Exploit, Mailing List, Third Party Advisory
This article is AI-assisted and based on the supplied source corpus.