PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-60465 GPAC CVE debrief

CVE-2025-60465 is a use-after-free vulnerability in the gf_filter_pid_inst_swap function of GPAC Project/MP4Box before 26.02.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file. The vulnerability has a CVSS score of 6.1 and a severity of MEDIUM. The CVE was published on 2026-06-25T20:17:08.673Z and last modified on 2026-06-30T19:03:42.293Z. The vendor, GPAC, has released a patch for this vulnerability.

Vendor
GPAC
Product
MP4Box
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-25
Original CVE updated
2026-06-30
Advisory published
2026-06-25
Advisory updated
2026-06-30

Who should care

Organizations using GPAC Project/MP4Box before 26.02.0 should prioritize patching this vulnerability to prevent potential Denial of Service (DoS) attacks. Additionally, security teams and administrators responsible for media file processing and GPAC Project/MP4Box deployments should be aware of this vulnerability and take necessary precautions.

Technical summary

The vulnerability is a use-after-free issue in the gf_filter_pid_inst_swap function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0. This allows attackers to cause a Denial of Service (DoS) by supplying a crafted media file. The CVSS vector for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N, indicating a Medium severity. The weakness associated with this vulnerability is CWE-416.

Defensive priority

Patching this vulnerability is of high priority to prevent potential Denial of Service (DoS) attacks. Administrators should update GPAC Project/MP4Box to version 26.02.0 or later.

Recommended defensive actions

  • Patch GPAC Project/MP4Box to version 26.02.0 or later
  • Restrict access to media file processing to trusted sources
  • Implement monitoring and logging to detect potential attacks
  • Conduct regular vulnerability assessments and penetration testing
  • Consider implementing compensating controls, such as Web Application Firewalls (WAFs)

Evidence notes

The CVE-2025-60465 vulnerability was published on 2026-06-25T20:17:08.673Z and last modified on 2026-06-30T19:03:42.293Z. The vulnerability has a CVSS score of 6.1 and a severity of MEDIUM. The vendor, GPAC, has released a patch for this vulnerability. There are multiple references and resources available, including a patch and issue tracking information.

Official resources

This article is AI-assisted and based on the supplied source corpus.