VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Jun 1, 2026· Updated Jun 1, 2026

CVE-2025-60486

CVE-2025-60486

Description

A heap use-after-free vulnerability in GPAC MP4Box before 26.02.0 allows attackers to cause a denial of service via a crafted MPEG-2 Transport Stream file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap use-after-free vulnerability in GPAC MP4Box before 26.02.0 allows attackers to cause a denial of service via a crafted MPEG-2 Transport Stream file.

Vulnerability

A heap use-after-free vulnerability exists in the dasher_process function within filters/dasher.c of GPAC Project/MP4Box versions prior to 26.02.0 [1]. The issue occurs when processing crafted MPEG-2 Transport Stream (TS) files that contain corrupted Program Map Table (PMT) descriptors and repeated sync marker violations. This malformed input triggers incorrect PID context memory management, where a PID context is freed in dasher_configure_pid() but remains referenced by a stale pointer that is subsequently accessed in dasher_process() [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted MPEG-2 TS file to the MP4Box utility [1]. No specific authentication or network access is required beyond the ability to supply the malicious file to the application for processing. The exploitation sequence involves triggering the parser's error-handling paths for corrupted descriptors, which leads to the premature deallocation of the PID context while other streams still maintain references to it [1].

Impact

Successful exploitation of this vulnerability results in a heap use-after-free condition, which typically leads to a crash of the MP4Box process, resulting in a Denial of Service (DoS) [1]. Depending on the heap state at the time of the stale pointer access, there is a potential for memory corruption, though the primary documented impact is application instability.

Mitigation

The vulnerability is addressed in GPAC version 26.02.0 [1]. The fix involves updating the PID context management logic to ensure that references to the PID are properly cleared or updated when a stream is removed from the list of active streams, preventing the use of dangling pointers [2]. Users are advised to upgrade to the latest version to remediate this issue.

References
  1. [security] filters/dasher.c:9445 heap-use-after-free in dasher_process
  2. fix some memory issues · gpac/gpac@e6d0182

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
e6d01820d7bf

fix some memory issues

https://github.com/gpac/gpacAurelien DavidAug 6, 2025via nvd-ref
commit
4 files changed · +26 9
  • applications/mp4box/filedump.c+2 0 modified
    @@ -1736,6 +1736,8 @@ void dump_isom_saps(GF_ISOFile *file, GF_ISOTrackID trackID, u32 dump_saps_mode,
 		u64 doffset;
 
 		GF_ISOSample *samp = gf_isom_get_sample_info(file, track, i+1, &di, &doffset);
+		if (!samp)
+			continue;
 
 #ifndef GPAC_DISABLE_ISOM_FRAGMENTS
 		traf_start = gf_isom_sample_is_fragment_start(file, track, i+1, NULL);
  • src/compositor/mpeg4_geometry_ifs2d.c+2 0 modified
    @@ -267,6 +267,8 @@ static void TraverseIFS2D(GF_Node *node, void *rs, Bool is_destroy)
 		return;
 	}
 	if (!ifs2D->coord) return;
+	if ((gf_node_get_tag(ifs2D->coord) != TAG_MPEG4_Coordinate) && (gf_node_get_tag(ifs2D->coord) != TAG_MPEG4_Coordinate2D))
+		return;
 
 	ifs2d_check_changes(node, stack, tr_state);
  • src/filters/dasher.c+19 9 modified
    @@ -956,7 +956,7 @@ static GF_Err dasher_configure_pid(GF_Filter *filter, GF_FilterPid *pid, Bool is
 	const GF_PropertyValue *p, *dsi=NULL;
 	u32 dc_crc, dc_enh_crc;
 	GF_Err e;
-	GF_DashStream *ds;
+	GF_DashStream *ds=NULL;
 	Bool old_period_switch;
 	u32 prev_stream_type;
 	Bool new_period_request = GF_FALSE;
@@ -970,6 +970,16 @@ static GF_Err dasher_configure_pid(GF_Filter *filter, GF_FilterPid *pid, Bool is
 			if (ds->dyn_bitrate) dasher_update_bitrate(ctx, ds);
 			gf_list_del_item(ctx->pids, ds);
 			gf_list_del_item(ctx->current_period->streams, ds);
+
+			// ds can be pointed to in other dash streams in the muxed_base member
+			u32 stream_nb = gf_list_count(ctx->current_period->streams);
+			for (u32 i=0; i<stream_nb; i++) {
+				GF_DashStream *ds2 = gf_list_get(ctx->current_period->streams, i);
+				if (ds && ds2 && ds2->muxed_base == ds) {
+					ds2->muxed_base = NULL;
+				}
+			}
+
 			if (ctx->next_period)
 				gf_list_del_item(ctx->next_period->streams, ds);
 			dasher_reset_stream(filter, ds, GF_TRUE);
@@ -1521,7 +1531,7 @@ static GF_Err dasher_configure_pid(GF_Filter *filter, GF_FilterPid *pid, Bool is
 				ds->hls_vp_name = NULL;
 			}
 		}
-		
+
 		p = gf_filter_pid_get_property(pid, GF_PROP_PID_COLR_PRIMARIES);
 		if(p){
 			ds->color_primaries = p->value.uint;
@@ -1538,8 +1548,8 @@ static GF_Err dasher_configure_pid(GF_Filter *filter, GF_FilterPid *pid, Bool is
 		if(p){
 			ds->color_matrix = p->value.uint;
 		}
-		
-		
+
+
 #if !defined(GPAC_DISABLE_AV_PARSERS)
 		if (dsi) {
 			if (ds->codec_id == GF_CODECID_LHVC || ds->codec_id == GF_CODECID_HEVC_TILES || ds->codec_id == GF_CODECID_HEVC) {
@@ -3064,21 +3074,21 @@ static void dasher_setup_set_defaults(GF_DasherCtx *ctx, GF_MPD_AdaptationSet *s
 			desc = gf_mpd_descriptor_new(NULL, "urn:mpeg:mpegB:cicp:ColourPrimaries", value);
 			gf_list_add(set->essential_properties, desc);
 		}
-		if (ds->color_transfer_characteristics > GF_COLOR_TRC_UNSPECIFIED){ 
+		if (ds->color_transfer_characteristics > GF_COLOR_TRC_UNSPECIFIED){
 			sprintf(value, "%d", ds->color_transfer_characteristics);
 				desc = gf_mpd_descriptor_new(NULL, "urn:mpeg:mpegB:cicp:TransferCharacteristics", value);
-				gf_list_add(set->essential_properties, desc);			
+				gf_list_add(set->essential_properties, desc);
 		}
 		if (ds->color_matrix > GF_COLOR_MX_UNSPECIFIED){
 			sprintf(value, "%d", ds->color_matrix);
 			desc = gf_mpd_descriptor_new(NULL, "urn:mpeg:mpegB:cicp:MatrixCoefficients", value);
 			gf_list_add(set->essential_properties, desc);
-			
+
 		}
 		if (ds->color_transfer_characteristics_alt > GF_COLOR_TRC_UNSPECIFIED){
 				sprintf(value, "%d", ds->color_transfer_characteristics_alt);
 				desc = gf_mpd_descriptor_new(NULL, "urn:mpeg:mpegB:cicp:TransferCharacteristics", value);
-				gf_list_add(set->supplemental_properties, desc);			
+				gf_list_add(set->supplemental_properties, desc);
 		}
 
 		//add custom inband event in manifest
@@ -9702,7 +9712,7 @@ static GF_Err dasher_process(GF_Filter *filter)
 			}
 			//period switch in progress, do not dash more than requested
 			else if (ctx->force_period_switch && ctx->period_switch_cts.den) {
-				//period_switch_cts is in original cts (pcont_cts) 
+				//period_switch_cts is in original cts (pcont_cts)
 				if (gf_timestamp_greater_or_equal(pcont_cts, ds->timescale, ctx->period_switch_cts.num, ctx->period_switch_cts.den)) {
 					dasher_stream_period_changed(filter, ctx, ds, GF_TRUE);
 					i--;
  • src/isomedia/isom_read.c+3 0 modified
    @@ -1381,6 +1381,9 @@ u32 gf_isom_get_sample_description_count(GF_ISOFile *the_file, u32 trackNumber)
 GF_EXPORT
 GF_ESD *gf_isom_get_esd(GF_ISOFile *movie, u32 trackNumber, u32 StreamDescriptionIndex)
 {
+	if (!gf_isom_has_movie(movie))
+		return NULL;
+
 	GF_ESD *esd;
 	GF_Err e;
 	e = GetESD(movie->moov, gf_isom_get_track_id(movie, trackNumber), StreamDescriptionIndex, &esd);

Vulnerability mechanics

Root cause

"Use-after-free: a PID context is freed in dasher_configure_pid but a stale pointer to it is later dereferenced in dasher_process."

Attack vector

An attacker supplies a crafted MPEG-2 Transport Stream file containing corrupted Program Map Table (PMT) descriptors and repeated sync marker violations. When MP4Box processes this file with the `-dash` command, the dasher module frees a PID context in `dasher_configure_pid` but later dereferences the freed pointer in `dasher_process`, causing a heap-use-after-free read [ref_id=1]. No authentication or special privileges are required; the attacker only needs to deliver the malformed file to the victim.

Affected code

The bug resides in `filters/dasher.c` at line 9445 in the `dasher_process` function, where a stale pointer is read after being freed in `dasher_configure_pid` (line 976). The allocation occurs at line 1153 of the same file [ref_id=1].

What the fix does

The advisory does not include a patch diff. The issue was fixed in GPAC/MP4Box before version 26.02.0 [ref_id=1]. The fix likely ensures that after freeing a PID context in `dasher_configure_pid`, any corresponding pointer in `dasher_process` is either cleared or the freed context is no longer accessed, preventing the use-after-free condition.

Preconditions

  • inputVictim runs MP4Box with the -dash command on a crafted MPEG-2 TS file
  • inputThe crafted file must contain corrupted PMT descriptors and repeated sync marker violations

Reproduction

./MP4Box -dash 100 53_dasher_process_filters_dasher_c_9445

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.