GPAC: Three Vulnerabilities Including DoS and Public Exploit Disclosed Together
A batch of three vulnerabilities in the GPAC multimedia framework, including two use-after-free flaws and one weakness with public exploit code, were disclosed between June 28 and June 30, 2026.

Key findings
- Three vulnerabilities in GPAC disclosed between June 28 and June 30, 2026.
- Two use-after-free vulnerabilities (CVE-2025-60464, CVE-2025-60465) leading to Denial of Service.
- CVE-2026-13523 affects data encoding and has publicly available exploit code.
- All disclosed vulnerabilities affect GPAC versions prior to 26.02.0.
- Patch available in GPAC version 26.02.0.
On June 30, 2026, a batch of three vulnerabilities was disclosed for the GPAC multimedia framework. The vulnerabilities, identified as CVE-2026-13523, CVE-2025-60464, and CVE-2025-60465, were published within a two-day window, with the earliest on June 28 and the latest on June 30. These issues collectively highlight potential weaknesses in GPAC's handling of media files and data encoding, with two of the three vulnerabilities being use-after-free flaws that could lead to denial-of-service conditions.
Two of the disclosed vulnerabilities, CVE-2025-60464 and CVE-2025-60465, are use-after-free errors within GPAC's MP4Box component. CVE-2025-60464 specifically resides in the gf_sei_load_from_state_internal function within the sei_load.c file, and can be triggered by a specially crafted MPEG-2 TS file. Similarly, CVE-2025-60465 is found in the gf_filter_pid_inst_swap function in filter_pid.c, exploitable through a manipulated media file. Both of these flaws can result in a Denial of Service (DoS) for the application.
The third vulnerability, CVE-2026-13523, identified as a weakness in the base_encoding.c file within the ISOBMFF Parser component, affects GPAC versions up to 26.02.0. While the exact impact is described as related to "highly compressed data," the vulnerability is noted to be locally exploitable and has had exploit code made publicly available. This suggests a potential for local attackers to leverage this weakness.
All three vulnerabilities affect GPAC versions prior to 26.02.0. The disclosure indicates that version 26.02.0 addresses these issues, implying that updating to this version or later is the recommended mitigation. Users of GPAC are advised to ensure their installations are updated to patch these vulnerabilities and prevent potential denial-of-service attacks or exploitation of data encoding weaknesses. The public availability of exploit code for CVE-2026-13523 underscores the importance of timely patching.
This batch of vulnerabilities, disclosed over a short period, emphasizes the need for continuous vigilance and prompt updates for users of the GPAC framework. The presence of multiple use-after-free bugs and a publicly known exploit for another weakness suggests that maintaining an up-to-date version of GPAC is crucial for security. Users should prioritize updating to version 26.02.0 or newer to safeguard against these identified risks.