VYPR
Vypr IntelligenceAI-generatedJun 24, 2026· 7 CVEs

GPAC MP4Box: Seven Memory-Safety CVEs Disclosed in a Single Batch, Fixed in 26.02.0

Seven memory-safety bugs — use-after-free, buffer overflow, and NULL pointer dereference — were disclosed together in GPAC's MP4Box, all fixed in version 26.02.0.

Key findings

  • Seven memory-safety CVEs disclosed together for GPAC/MP4Box, all fixed in version 26.02.0
  • Four use-after-free bugs cluster in the filter pipeline code at filter_core/filter_pid.c
  • Two NULL pointer dereference bugs affect filter_pid.c and isomedia/isom_write.c
  • One buffer overflow found in the gf_media_import function in av_parsers.c
  • All vulnerabilities are reachable via crafted media files and cause denial of service
  • No in-the-wild exploitation reported as of the disclosure date

Seven memory-safety vulnerabilities were disclosed together on June 23–24, 2026, in GPAC's MP4Box multimedia tool, all reachable via crafted media files and capable of causing denial-of-service crashes. The batch, fixed in GPAC 26.02.0, clusters around use-after-free, buffer overflow, and NULL pointer dereference bugs — a pattern that underscores the parsing risk inherent in handling untrusted MP4 and other container formats.

Four of the seven CVEs are use-after-free flaws concentrated in the filter pipeline code at /filter_core/filter_pid.c. CVE-2025-60466 hits gf_filter_pid_get_packet, CVE-2025-60467 hits gf_filter_pid_inst_swap_delete_task, and CVE-2025-60471 hits gf_filter_pid_reconfigure_task_discard. A fourth use-after-free, CVE-2025-60468, also resides in gf_filter_pid_inst_swap_delete_task (lines 574–580) and is described as a buffer overflow variant that improperly accesses freed objects during PID operations. All four allow an attacker to trigger a denial of service by supplying a crafted media file.

Two NULL pointer dereference bugs round out the memory-safety theme. CVE-2025-60473 occurs in gf_filter_in_parent_chain (also in filter_pid.c), while CVE-2025-55639 — the earliest published in the batch, dated June 23 — is in the gf_isom_add_track_kind() function at isomedia/isom_write.c. Both are triggered by crafted MP4 files and lead to a crash.

A separate buffer overflow, CVE-2025-60474, was found in the gf_media_import function inside media_tools/av_parsers.c. Like the others, it is exploitable via a crafted input and results in a denial of service.

All seven CVEs affect GPAC/MP4Box builds prior to version 26.02.0. The GPAC project has addressed the entire batch in that release. Users and downstream integrators should update to 26.02.0 or later to close these crash vectors. No reports of in-the-wild exploitation have been published as of the disclosure date.

For users of GPAC-based tools — including media transcoding pipelines, fuzzing harnesses, and multimedia analysis workflows — this batch is a reminder that parsing untrusted input remains the dominant attack surface. The concentration of bugs in the filter core suggests that the PID (packet identifier) management layer received particular scrutiny in this audit cycle.

AI-written article. Grounded in 7 CVE records listed below.