CVE-2025-55650
Description
A heap use-after-free in GPAC MP4Box v2.4 when processing crafted MP4 files with the -svg option allows denial of service via crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap use-after-free in GPAC MP4Box v2.4 when processing crafted MP4 files with the -svg option allows denial of service via crash.
Vulnerability
A heap use-after-free vulnerability exists in the gf_node_get_tag function within scenegraph/base_scenegraph.c of GPAC MP4Box v2.4 [1]. When MP4Box processes a crafted MP4 file using the -svg option to dump the MPEG-4 LASeR/SVG scene, an SVG node allocated by gf_svg_create_node() is freed by gf_svg_node_del() and then subsequently accessed during scene graph reset/cleanup. AddressSanitizer reports a READ of size 8 inside a 24-byte region that was freed in gf_svg_node_del() at svg_types.c:126 [1]. The vulnerability affects GPAC versions prior to the fix commit 46be5f928660530d5332cd2f1d177208737558ef [1].
Exploitation
An attacker must supply a specially crafted MP4 file to a user or system that runs MP4Box with the -svg option. No authentication or special network position is required, but user interaction is necessary (the victim must execute MP4Box on the malicious file). The exploitation sequence involves MP4Box parsing the crafted MP4 file, creating SVG nodes, and then during cleanup, a freed node is accessed, triggering the use-after-free condition [1].
Impact
Successful exploitation results in a denial of service (DoS) due to a crash. The CVSS v3.1 base score is 5.5 (Medium) per the CVE header, with a vector indicating low attack complexity and no privileges required. The impact is limited to availability; there is no confidentiality or integrity compromise [1].
Mitigation
The vulnerability is fixed in commit 46be5f928660530d5332cd2f1d177208737558ef of the GPAC repository [1]. Users should update to a version that includes this commit. No workarounds are documented, and the CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Use-after-free: an SVG node is freed by gf_svg_node_del() but later accessed during scene graph reset in gf_sg_reset()."
Attack vector
An attacker supplies a crafted MP4 file that, when processed by MP4Box with the `-svg` flag, triggers a use-after-free in the SVG scene graph. The freed node is read during `gf_sg_reset()` after being deallocated by `gf_svg_node_del()`. No authentication or special privileges are required beyond the ability to provide the malicious file. [ref_id=1] [CWE-416]
Affected code
The vulnerability resides in `scenegraph/svg_types.c` (line 107) and `scenegraph/base_scenegraph.c` (the `gf_sg_reset` path). An SVG node allocated by `gf_svg_create_node()` is freed by `gf_svg_node_del()` and then accessed again during scene graph cleanup, causing a heap use-after-free in `gf_node_get_tag` / `gf_svg_node_del`. [ref_id=1]
What the fix does
The advisory references a fix commit (`46be5f928660530d5332cd2f1d177208737558ef`) but does not include the diff. The patch likely ensures that after `gf_svg_node_del()` frees an SVG node, the dangling pointer is cleared or the node is removed from the scene graph before `gf_sg_reset()` iterates over it, preventing the subsequent read of freed memory. [ref_id=1]
Preconditions
- inputAttacker must supply a crafted MP4 file that triggers the SVG scene path processing
- configVictim must run MP4Box with the -svg flag on the crafted file
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.