Security Advisory: CVE-2025-60467 - Use-After-Free in GPAC MP4Box Filter PID Cleanup

A use-after-free vulnerability exists in GPAC MP4Box when processing a crafted MPEG-2 TS/MP4 file. The issue is triggered during filter teardown in `gf_filter_pid_inst_swap_delete_task()` and can cause MP4Box to crash.

Summary:
AddressSanitizer confirms a heap-use-after-free in `filter_core/filter_pid.c:580`, where code reads from a PID instance object after it has already been freed during swap/delete cleanup.
The crafted file contains malformed MPEG-2 TS structures, including broken PMT descriptors and invalid PID metadata. While MP4Box processes the file with `-info`, the filter core performs PID instance cleanup. During this cleanup path, a PID instance is freed and later accessed again by `gf_filter_pid_inst_swap_delete_task()`.

CWE:
CWE-416 - Use After Free

Affected Component:
```
filter_core/filter_pid.c:580
Function: gf_filter_pid_inst_swap_delete_task()
```

Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
```
2.5-DEV-rev1593-gfe88c3545-master
Commit: fe88c3545aadd597b250ccf23271d5d3de50ccc8
```

Attack Conditions:
An attacker supplies a crafted input file that is processed by MP4Box. The issue can be reproduced locally with:
```
./MP4Box -info 39_gf_filter_pid_inst_swap_delete_task_filter_core_filter_pid_c_580
```

The prepared CVSS vector:
```
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
```

Impact:
denial of service via application crash; local triage notes also identify potential arbitrary code execution risk

Fix / mitigation status:
Users should update to a fixed GPAC release or apply the vendor-confirmed patch. Verify the final vendor fix commit before public release if the advisory is published independently.

References:

- Issue: https://github.com/gpac/gpac/issues/3290
- Fix: https://github.com/gpac/gpac/commit/aed9c94e92e8ba362ddb29c767c519478f46f195
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/39/39_gf_filter_pid_inst_swap_delete_task_filter_core_filter_pid_c_580
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-60467

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac

Security Advisory: CVE-2025-60474 - Heap Buffer Overflow in GPAC MP4Box Media Import

A heap buffer overflow vulnerability exists in GPAC MP4Box when processing a crafted media file with the `-info` option. The issue occurs in `gf_media_import()` in `media_tools/media_import.c` and can be triggered by supplying a malformed input file to MP4Box.

Summary:
AddressSanitizer confirms an out-of-bounds read at `media_tools/media_import.c:1297`. The vulnerable code reads 1 byte at offset `[1]` from a 1-byte heap buffer allocated from an empty string via `strdup("")`, where only offset `[0]` is valid.
The crafted input reaches MP4Box media import handling and causes `gf_media_import()` to access memory immediately after a 1-byte heap allocation. The allocation originates from property handling for an empty string and is later read out of bounds during media import processing.

CWE:
CWE-122 - Heap-based Buffer Overflow

Affected Component:
```
media_tools/media_import.c:1297
Function: gf_media_import()
```

Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
```
2.5-DEV-rev1570-g6208015df-master
Commit: 6208015dff3a6735a26e413c484c714666eb3ea2
```

Attack Conditions:
An attacker supplies a crafted input file that is processed by MP4Box. The issue can be reproduced locally with:
```
./MP4Box -info 38_gf_media_import_media_tools_media_import_c_1297
```

The prepared CVSS vector:
```
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
```

Impact:
denial of service via application crash; local triage notes also identify potential code execution risk

Fix / mitigation status:
The issue was fixed in GPAC commit:
```
bd7fd6be546e0cd9e599c6b262c338c5f2ecec5c
```
Users should update to a GPAC build containing this commit or later.

References:
- Issue: https://github.com/gpac/gpac/issues/3287
- Fix: https://github.com/gpac/gpac/commit/bd7fd6be546e0cd9e599c6b262c338c5f2ecec5c
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/38/38_gf_media_import_media_tools_media_import_c_1297
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-60474

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac

Security Advisory: CVE-2025-60467 - Use-After-Free in GPAC MP4Box PID Swap Delete Task

Processing a crafted media file with MP4Box `-info` can trigger a heap use-after-free in `gf_filter_pid_inst_swap_delete_task()`, causing a crash and potential code execution.

Summary:
The `gf_filter_pid_inst_swap_delete_task()` function in `filter_core/filter_pid.c` can access a `GF_FilterPidInstance` object after it has already been freed by `gf_filter_pid_inst_swap_delete()`. Crafted input that exercises filter reconfiguration and deferred teardown paths can cause the scheduler to process a delete task with a stale pointer.

AddressSanitizer reports a `heap-use-after-free` at `filter_core/filter_pid.c:574`, with a `READ of size 4` from a previously freed 336-byte heap region.

CWE:
CWE-416 - Use After Free

Affected Component:
```
filter_core/filter_pid.c:574
Function: gf_filter_pid_inst_swap_delete_task()
```

Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
The issue was reproduced on:
```
GPAC version: 2.5-DEV-rev1570-g6208015df-master
Commit: 6208015dff3a6735a26e413c484c714666eb3ea2
```

The MITRE response states that GPAC Project/MP4Box before `26.02.0` is affected. Builds before the fix commit `976dacf65cb6986a4e4f350fb8d3ed0a17dc3a77` should be considered affected if they contain the vulnerable deferred PID swap delete task path.

Attack Conditions:
An attacker supplies a crafted media file or filter graph input that is processed by MP4Box through the info/import path and triggers PID reconfiguration and deferred teardown. The issue can be reproduced locally with:
```
./MP4Box -info 37_gf_filter_pid_inst_swap_delete_task_filter_core_filter_pid_c_574
```

No elevated privileges are required. User interaction is required when the victim manually processes the malicious file, or an automated media workflow invokes MP4Box on attacker-controlled input.

The prepared CVSS vector:
```
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
```

Impact:
The immediate observed impact is Denial of Service due to process termination. Because the vulnerability is a heap use-after-free, memory corruption and potential arbitrary code execution are possible.

Fix / mitigation status:
The issue was fixed in GPAC commit:
```
976dacf65cb6986a4e4f350fb8d3ed0a17dc3a77
```

Users should update to a GPAC build containing this commit or later. The affected deferred task path should ensure that `GF_FilterPidInstance` lifetime remains valid before a scheduled delete task accesses it.

References:

- Issue: https://github.com/gpac/gpac/issues/3286
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/37/37_gf_filter_pid_inst_swap_delete_task_filter_core_filter_pid_c_574
- Fix: https://github.com/gpac/gpac/commit/976dacf65cb6986a4e4f350fb8d3ed0a17dc3a77
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-60467

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac

Security Advisory: CVE-2025-60473 - NULL Pointer Dereference in GPAC MP4Box Filter Parent Chain

Processing a crafted media file with MP4Box `-info` can trigger a NULL pointer dereference in `gf_filter_in_parent_chain()`, causing a Denial of Service.

Summary:
The `gf_filter_in_parent_chain()` function in `filter_core/filter_pid.c` does not sufficiently validate a parent filter pointer before dereferencing it. When MP4Box processes a specially crafted media file with malformed MPEG-2 TS data and a corrupted PID/filter chain, the vulnerable path can attempt to read from address `0x000000000008`.

CWE:
CWE-476 - NULL Pointer Dereference

Affected Component:
```
filter_core/filter_pid.c:2145
Function: gf_filter_in_parent_chain()
```

Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
The issue was reproduced on:
```
GPAC version: 2.5-DEV-rev1570-g6208015df-master
Commit: 6208015dff3a6735a26e413c484c714666eb3ea2
```

The MITRE response states that GPAC Project/MP4Box before `26.02.0` is affected. Builds before the fix commit `b8d80b44718de10b101e1d7fc17c84d69feb092e` should be considered affected if they contain the vulnerable filter parent-chain validation path.

Attack Conditions:
An attacker supplies a crafted media file with malformed MPEG-2 TS packet data and a corrupted PID/filter chain. The issue can be reproduced locally with:
```
./MP4Box -info 36_gf_filter_in_parent_chain_filter_core_filter_pid_c_2145
```

No elevated privileges are required. User interaction is required when the victim manually processes the malicious file, or an automated media workflow invokes MP4Box on attacker-controlled input.

The prepared CVSS vector:
```
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
```

Impact:
The immediate observed impact is Denial of Service due to process termination. The local MITRE/BDU data also notes potential arbitrary code execution, although the available ASAN evidence shows a NULL pointer dereference crash.

Fix / mitigation status:
The issue was fixed in GPAC commit:
```
b8d80b44718de10b101e1d7fc17c84d69feb092e
```

Users should update to a GPAC build containing this commit or later. The affected filter graph code should validate parent filter pointers before dereferencing them during PID initialization.

References:

- Issue: https://github.com/gpac/gpac/issues/3285
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/36/36_gf_filter_in_parent_chain_filter_core_filter_pid_c_2145
- Fix: https://github.com/gpac/gpac/commit/b8d80b44718de10b101e1d7fc17c84d69feb092e
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-60473

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac

Security Advisory: CVE-2025-60466 - Expired Pointer Dereference in GPAC MP4Box Packet Retrieval

Processing a crafted media file with MP4Box `-info` can trigger an expired pointer dereference in `gf_filter_pid_get_packet()`, causing a heap use-after-free crash and potential code execution.

Summary:
The `gf_filter_pid_get_packet()` function in `filter_core/filter_pid.c` may operate on an invalidated Packet ID (PID) object after it has been freed by `gf_filter_pid_del()`. When MP4Box processes a specially crafted media file through the filter graph, the `inspect` filter can request packets from a stale PID object, leading to access to freed heap memory.

CWE:
CWE-825 - Expired Pointer Dereference

Affected Component:
```
filter_core/filter_pid.c:6827
Function: gf_filter_pid_get_packet()
```

Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
The issue was reproduced on:
```
GPAC version: 2.5-DEV-rev1570-g6208015df-master
Commit: 6208015dff3a6735a26e413c484c714666eb3ea2
```

The MITRE response states that GPAC Project/MP4Box before `26.02.0` is affected. Builds before the fix commit `4a7ea06dd1b2cc65fe0dabc60189eb6bc814f7bb` should be considered affected if they contain the vulnerable PID packet retrieval path.

Attack Conditions:
An attacker supplies a crafted media file that is processed by MP4Box through the info/import path and drives the inspect/filter pipeline through PID deletion and packet retrieval paths. The issue can be reproduced locally with:

```
./MP4Box -info 35_gf_filter_pid_get_packet_filter_core_filter_pid_c_6827
```
No elevated privileges are required. User interaction is required when the victim manually processes the malicious file, or an automated media workflow invokes MP4Box on attacker-controlled input.

The prepared CVSS vector in the local BDU data is:
```
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
```

Impact:
The immediate observed impact is Denial of Service due to process termination. Because the vulnerability is a heap use-after-free / expired pointer dereference, memory corruption and potential arbitrary code execution are possible.

Fix / mitigation status:
The issue was fixed in GPAC commit:
```
4a7ea06dd1b2cc65fe0dabc60189eb6bc814f7bb
```

Users should update to a GPAC build containing this commit or later. The fix adds checks to ignore tasks when PID or filter objects have been removed or finalized, preventing stale object use.

References:

- Issue: https://github.com/gpac/gpac/issues/3284
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/35/35_gf_filter_pid_get_packet_filter_core_filter_pid_c_6827
- Fix: https://github.com/gpac/gpac/commit/4a7ea06dd1b2cc65fe0dabc60189eb6bc814f7bb
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-60466

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac

Security Advisory: CVE-2025-60465 - Use-After-Free in GPAC MP4Box PID Instance Swap

Processing a crafted media file with MP4Box `-info` can trigger a heap use-after-free in `gf_filter_pid_inst_swap()`, causing a crash and potential code execution.

Summary:
The `gf_filter_pid_inst_swap()` function in `filter_core/filter_pid.c` does not reset `ctx->pid_inst` to NULL after freeing the PID instance. Subsequent PID configuration and reconfiguration steps can reuse this dangling pointer, leading to access to freed heap memory.

CWE:
CWE-416 - Use After Free

Affected Component:
```
filter_core/filter_pid.c:633
Function: gf_filter_pid_inst_swap()
```

Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
The issue was reproduced on:
```
GPAC version: 2.5-DEV-rev1570-g6208015df-master
Commit: 6208015dff3a6735a26e413c484c714666eb3ea2
```
The MITRE response states that GPAC Project/MP4Box before `26.02.0` is affected. Builds before the fix commit `55b351bd078c950592544ab4c708a613c1725b9b` should be considered affected if they contain the vulnerable PID instance swap path.

Attack Conditions:
An attacker supplies a crafted media or MPEG-2 TS input that is processed by MP4Box through the info/import path and triggers filter PID reconfiguration. The issue can be reproduced locally with:
```
./MP4Box -info 34_gf_filter_pid_inst_swap_filter_core_filter_pid_c_633
```

No elevated privileges are required. User interaction is required when the victim manually processes the malicious file, or an automated media workflow invokes MP4Box on attacker-controlled input.

The prepared CVSS vector in the local BDU data is:
```
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
```

Impact:
The immediate observed impact is Denial of Service due to process termination. Because the vulnerability is a heap use-after-free, memory corruption and potential arbitrary code execution are possible.

Fix / mitigation status:
The issue was fixed in GPAC commit:
```
55b351bd078c950592544ab4c708a613c1725b9b
```
Users should update to a GPAC build containing this commit or later. The affected PID instance swap path should clear `ctx->pid_inst` after freeing it and avoid later use of stale PID object pointers.

References:

- Issue: https://github.com/gpac/gpac/issues/3283
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/34/34_gf_filter_pid_inst_swap_filter_core_filter_pid_c_633
- Fix: https://github.com/gpac/gpac/commit/55b351bd078c950592544ab4c708a613c1725b9b
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-60465

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac

Security Advisory: CVE-2025-60471 - Use-After-Free in GPAC MP4Box PID Reconfiguration

Processing a crafted media file with MP4Box `-info` can trigger a heap use-after-free in `gf_filter_pid_reconfigure_task_discard()`, causing a crash and potential code execution.

Summary:
The `gf_filter_pid_reconfigure_task_discard()` function in `filter_core/filter_pid.c` can access a freed Packet ID (PID) object during filter reconfiguration cleanup. When MP4Box processes a specially crafted file with malformed MPEG-2 TS packet data, broken PMT descriptors, unsupported stream types, and invalid packet structure, the vulnerable path may free a PID instance through `gf_filter_pid_inst_swap()` and later dereference it during reconfiguration task discard.
AddressSanitizer reports a `heap-use-after-free` at `filter_core/filter_pid.c:1346`, with a `READ of size 8` from a freed 336-byte heap region.

CWE:
CWE-416 - Use After Free

Affected Component:
```
filter_core/filter_pid.c:1346
Function: gf_filter_pid_reconfigure_task_discard()
```
Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
The issue was reproduced on:

```
GPAC version: 2.5-DEV-rev1570-g6208015df-master
Commit: 6208015dff3a6735a26e413c484c714666eb3ea2
```

Builds before the fix commit `48b0f505679ee41004cb521ac3b76b610650c0cb` should be considered affected if they contain the vulnerable PID reconfiguration cleanup path.

Attack Conditions:
An attacker supplies a crafted media file that is processed by MP4Box through the info/import path. The issue can be reproduced locally with:
```
./MP4Box -info 33_gf_filter_pid_reconfigure_task_discard_filter_core_filter_pid_c_1346
```
No elevated privileges are required. User interaction is required when the victim manually processes the malicious file, or an automated media workflow invokes MP4Box on attacker-controlled input.

The prepared CVSS vector in the local BDU data is:
```
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
```

Impact:
The immediate observed impact is Denial of Service due to process termination. Because the vulnerability is a heap use-after-free, memory corruption and potential arbitrary code execution are possible.

Fix / mitigation status:
The issue was fixed in GPAC commit:
```
48b0f505679ee41004cb521ac3b76b610650c0cb
```

Users should update to a GPAC build containing this commit or later. The affected PID reconfiguration path should ensure that PID object lifetime remains valid before discard logic accesses the object.

References:

- Issue: https://github.com/gpac/gpac/issues/3282
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/33/33_gf_filter_pid_reconfigure_task_discard_filter_core_filter_pid_c_1346
- Fix: https://github.com/gpac/gpac/commit/48b0f505679ee41004cb521ac3b76b610650c0cb
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-60471

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac

Security Advisory: CVE-2025-60464 - Use-After-Free in GPAC MP4Box SEI State Handling

Processing a crafted MPEG-2 TS file with MP4Box `-info` can trigger a heap use-after-free in `gf_sei_load_from_state_internal()`, causing a crash and potential code execution.

Summary:
The `gf_sei_load_from_state_internal()` function in `filters/sei_load.c` can access codec/SEI state after the related heap buffer has been freed by the NALU demuxer setup path. When MP4Box processes a specially crafted MPEG-2 Transport Stream file containing malformed AVC/HEVC/VVC NAL units and corrupted PMT descriptors, `naludmx_configure_pid()` can release a state buffer that is later read during SEI state loading.

CWE:
CWE-416 - Use After Free

Affected Component:
```
filters/sei_load.c:225
Function: gf_sei_load_from_state_internal()
```

Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
The issue was reproduced on:
```
GPAC version: 2.5-DEV-rev1557-g62714f27c-master
Commit: 62714f27c64a3d1eb7e880f9eed2d38673cb43ce
```

The MITRE response states that GPAC Project/MP4Box before `26.02.0` is affected. Builds before the fix commit `8f404bd581e455267482f86272169a742f654b97` should be considered affected if they contain the vulnerable SEI state handling path.

Attack Conditions:
An attacker supplies a crafted MPEG-2 TS file containing malformed AVC/HEVC/VVC bitstream data, corrupted PMT descriptors, and invalid NAL/SEI state. The issue can be reproduced locally with:
```
./MP4Box -info 32_filters_sei_load_c_225_in_gf_sei_load_from_state_internal
```

No elevated privileges are required. User interaction is required when the victim manually processes the malicious file, or an automated media workflow invokes MP4Box on attacker-controlled input.

The prepared CVSS vector in the local BDU data is:

```
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
```

Impact:
The immediate observed impact is Denial of Service due to process termination. Because the vulnerability is a heap use-after-free, memory corruption and potential arbitrary code execution are possible.

Fix / mitigation status:
The issue was fixed in GPAC commit:

```
8f404bd581e455267482f86272169a742f654b97
```
Users should update to a GPAC build containing this commit or later. The affected SEI/NALU handling path should ensure state buffers remain valid before SEI parsing reads from them.

References:

- Issue: https://github.com/gpac/gpac/issues/3278
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/32/32_filters_sei_load_c_225_in_gf_sei_load_from_state_internal
- Fix: https://github.com/gpac/gpac/commit/8f404bd581e455267482f86272169a742f654b97
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-60464

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac

Security Advisory: CVE-2025-60471 - Use-After-Free in GPAC MP4Box PID Reconfiguration

Processing a crafted MPEG-2 TS file with MP4Box `-info` can trigger a heap use-after-free in `gf_filter_pid_reconfigure_task_discard()`, causing a crash and potential code execution.

Summary:
The `gf_filter_pid_reconfigure_task_discard()` function in `filter_core/filter_pid.c` can access a freed `pid_inst` structure during PID reconfiguration task disposal. When MP4Box processes a specially crafted MPEG-2 Transport Stream file containing broken PMT descriptors, missing packet sync markers, unsupported stream types, and invalid packet data, a PID instance can be freed by `gf_filter_pid_inst_swap_delete()` and later accessed in `gf_filter_pid_reconfigure_task_discard()`.

AddressSanitizer reports a `heap-use-after-free` at `filter_core/filter_pid.c:1341`, with a `READ of size 8` from a freed 336-byte heap region.

CWE:
CWE-416 - Use After Free

Affected Component:
```
filter_core/filter_pid.c:1341
Function: gf_filter_pid_reconfigure_task_discard()
```

Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
The issue was reproduced on:
```
GPAC version: 2.5-DEV-rev1557-g62714f27c-master
Commit: 62714f27c64a3d1eb7e880f9eed2d38673cb43ce
```

The MITRE response states that GPAC Project/MP4Box before `26.02.0` is affected. Local MITRE data also describes affected GPAC MP4Box 2.4 and earlier, including development branches that contain the vulnerable PID reconfiguration lifecycle handling.
Builds before the fix commit `868c6801c226e9964cace54cfd5a759f152780b4` should be considered affected if they contain the vulnerable path.

Attack Conditions:
An attacker supplies a crafted MPEG-2 TS file with corrupted PMT descriptors and invalid packet data. The issue can be reproduced locally with:
```
./MP4Box -info 31_gf_filter_pid_reconfigure_task_discard_filter_core_filter_pid_c_1341
```

No elevated privileges are required. User interaction is required when the victim manually processes the malicious file, or an automated media workflow invokes MP4Box on attacker-controlled input.

Impact:
The immediate observed impact is Denial of Service due to process termination. Because the vulnerability is a heap use-after-free, memory corruption and potential arbitrary code execution are possible.

Fix / mitigation status:
The issue was fixed in GPAC commit:
```
868c6801c226e9964cace54cfd5a759f152780b4
```
Users should update to a GPAC build containing this commit or later. The affected filter PID reconfiguration path should ensure that PID instance lifetime is valid before task discard logic accesses the object.

References:

- Issue: https://github.com/gpac/gpac/issues/3279
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/31/31_gf_filter_pid_reconfigure_task_discard_filter_core_filter_pid_c_1341
- Fix: https://github.com/gpac/gpac/commit/868c6801c226e9964cace54cfd5a759f152780b4
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-60471

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac

Security Advisory: CVE-2025-55640 - Heap Buffer Overflow in GPAC MP4Box Sample Size Handling

Processing a crafted MP4 file with MP4Box `-add` can trigger a heap buffer overflow in `stbl_AddSize()`, causing a crash and potential code execution.

Summary:
The `stbl_AddSize()` function in `isomedia/stbl_write.c` does not sufficiently validate sample count boundaries before writing to the sample size table. When MP4Box imports a specially crafted MP4 file containing manipulated sample metadata, corrupted sample counts, invalid aspect ratios, and oversized box declarations, the vulnerable path writes beyond the allocated heap buffer for `stbl->sampleSize->sizes`.

AddressSanitizer reports a `heap-buffer-overflow` at `isomedia/stbl_write.c:492`, with a `WRITE of size 4` immediately after a 64-byte heap allocation.

CWE:
CWE-122 - Heap-based Buffer Overflow

Affected Component:
```
isomedia/stbl_write.c:492
Function: stbl_AddSize()
```

Affected Product:
MP4Box (GPAC Multimedia Open Source Project)

Affected Version:
GPAC MP4Box version 2.4 is affected according to the prepared CVE/MITRE data. The issue was reproduced on a GPAC build at commit:
```
027ce139dda498ee95df36db9f9f6f3cadce8ec9
```
Builds before the fix commit `321624f28d19a413449fd1718d1eb59037f8f7fc` should be considered affected if they contain the vulnerable sample size table update path.

Attack Conditions:
An attacker supplies a crafted MP4 file with manipulated sample metadata. The issue can be reproduced locally with:

```
./MP4Box -add 25_poc.mp4 -new /dev/null
```

No elevated privileges are required. User interaction is required when the victim manually processes the malicious file, or an automated media workflow invokes MP4Box on attacker-controlled input.

Impact:
The immediate observed impact is Denial of Service due to process termination. Because the vulnerability is an out-of-bounds heap write, memory corruption and potential arbitrary code execution are possible.

Fix / mitigation status:
The issue was fixed in GPAC commit:
```
321624f28d19a413449fd1718d1eb59037f8f7fc
```
Users should update to a GPAC build containing this commit or later. The affected sample size table path should validate `sampleCount` and ensure capacity before writing sample size entries.

References:

- Issue: https://github.com/gpac/gpac/issues/3261
- PoC: https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/25/25_poc.mp4
- Fix: https://github.com/gpac/gpac/commit/321624f28d19a413449fd1718d1eb59037f8f7fc
- CVE record: https://www.cve.org/CVERecord?id=CVE-2025-55640

Credit
Alexander A. Shvedov (@sigdevel)

#fuzzing #infosec #security #aflplusplus #revers #cybersecurity #bugbounty #vulnerability #opensource #linux #cve #advisory #media #gpac