MEDIUM 5.5

CVE-2025-60486: Heap Use-After-Free in GPAC MP4Box MPEG-2 Dasher – DoS Vulnerability

A memory safety flaw in GPAC's MP4Box tool allows an attacker to crash the application by processing a specially crafted MPEG-2 video file. The vulnerability stems from improper memory management in the dasher_process function—specifically, the code attempts to access memory that has already been freed. An attacker with local file access can exploit this by distributing a malicious video file that, when opened in MP4Box, triggers the defect and renders the tool unusable. This is a denial-of-service issue rather than a path to code execution or data theft.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-416
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A heap use-after-free in the dasher_process function (/filters/dasher.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 file.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-60486 is a heap use-after-free vulnerability (CWE-416) in the /filters/dasher.c module of GPAC Project's MP4Box before version 26.02.0. The dasher_process function fails to properly manage allocated heap memory during MPEG-2 file parsing, leading to a situation where freed memory is dereferenced. The vulnerability is triggered when processing a maliciously crafted MPEG-2 container. Since the flaw involves reading from previously deallocated memory, it typically results in a crash rather than controlled exploitation. The CVSS 3.1 score of 5.5 (Medium severity) reflects the local attack vector, no privilege requirement, and high availability impact.

Business impact

Organizations that rely on MP4Box for batch video processing, transcoding pipelines, or media ingestion workflows face service interruptions if an attacker supplies a hostile MPEG-2 file. In media production environments or content distribution networks, this could disrupt critical workflows. The impact is primarily operational availability rather than confidentiality or integrity—processes will fail, but data is not exposed or modified. For users integrating MP4Box into unattended automated systems, this vulnerability could be leveraged to halt legitimate processing tasks.

Affected systems

GPAC Project's MP4Box tool in versions prior to 26.02.0 is vulnerable. The flaw exists in the MPEG-2 dasher processing path, so exploitation requires that MP4Box is configured to handle or process MPEG-2 content. Users on version 26.02.0 or later are not affected. The vulnerability requires local file access—an attacker must supply a malicious MPEG-2 file to a system where MP4Box will process it.

Exploitability

Exploitation requires an attacker to craft a malicious MPEG-2 file and trick or cause a user to open it with MP4Box. The attack surface is relatively narrow: the vulnerability is local, requires user interaction (or automated processing of untrusted files), and results in a crash rather than privilege escalation or remote code execution. An attacker cannot remotely trigger this flaw; they must place a hostile file in a location where MP4Box will be invoked. In environments where MP4Box processes files from untrusted sources without validation, the risk is higher. The CVSS vector (AV:L/AC:L/PR:N/UI:R) indicates a low complexity attack with no special privileges needed, but the user interaction requirement limits real-world exposure.

Remediation

Upgrade GPAC Project's MP4Box to version 26.02.0 or later. Users unable to immediately patch should restrict MP4Box access to trusted MPEG-2 sources and implement input validation or sandboxing when processing media from external or user-supplied origins. If MP4Box is not required, disabling or removing the dasher filter component may mitigate risk in some configurations.

Patch guidance

Update MP4Box to version 26.02.0 or later, available from the official GPAC Project repository. Verify the update is correctly installed by checking the tool's version output. Test the patched version with existing MPEG-2 workflows to ensure compatibility before full deployment. For organizations running MP4Box in containerized or virtual environments, rebuild images with the patched version and redeploy.

Detection guidance

Monitor for crashes or unexpected exits of MP4Box processes, especially when processing MPEG-2 files from external sources. Log file access patterns to MP4Box inputs and correlate unusual or malformed MPEG-2 files with subsequent process failures. In production environments, implement crash dump analysis to confirm heap use-after-free signatures (look for freed memory access traces in debugger output). Alert on repeated or rapid MP4Box crashes associated with specific file sources, which may indicate an attack.

Why prioritize this

While the CVSS score is medium (5.5), prioritize this based on your organization's dependency on MP4Box for critical workflows. If MP4Box is only used for testing or low-priority tasks, this can be addressed within a standard patch cycle. However, if media processing is integral to your service delivery, treat this as higher priority to prevent service interruption. The lack of KEV status and the requirement for user interaction lower urgency compared to remotely exploitable flaws, but availability impact to core processes should elevate it in your risk register.

Risk score, explained

The CVSS 3.1 score of 5.5 reflects: local attack vector (no remote exploitation), low complexity (a malformed file is sufficient), no privilege escalation required, user interaction needed (a user or automated system must process the file), and high availability impact (crash/DoS). The score does not account for business context—if your organization does not use MP4Box or processes only trusted media, your actual risk is lower; if MP4Box is mission-critical and processes external content, your risk is higher.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The attack vector is local (AV:L), meaning an attacker must place or supply a malicious MPEG-2 file to a system where MP4Box will process it. Remote exploitation is not possible; the file must be accessed locally.

Does this allow an attacker to execute code or steal data?

No. The vulnerability causes a denial of service (crash) only. It does not provide code execution, data exfiltration, or privilege escalation. The impact is strictly availability—the MP4Box process will crash.

Which versions of MP4Box are affected?

All versions before 26.02.0 are vulnerable. Version 26.02.0 and later include the fix. Verify your installed version with 'MP4Box -version' or equivalent.

If we don't use MPEG-2 files, are we still at risk?

The vulnerability specifically affects the dasher_process function during MPEG-2 parsing. If your workflows do not involve MPEG-2 content, the attack vector is closed; however, upgrading to 26.02.0 is still recommended for defense-in-depth.

This analysis is provided for informational purposes and reflects publicly available information and vendor advisories as of the publication date. CVSS scores and exploit details are sourced from official vulnerability databases and should be verified against the latest vendor guidance. Actual risk varies by organizational context, system configuration, and the presence of compensating controls. Test all patches in non-production environments before deployment. SEC.co does not guarantee the completeness or accuracy of third-party vendor data and recommends consulting official GPAC Project documentation for authoritative patching instructions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).