CVE-2025-60464EXPLOITEDPATCHED

gpac project · mp4box

CVE-2025-60464: A use-after-free in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC Project/MP4Box before 26.

Description

A use-after-free in the gf_sei_load_from_state_internal function (/filters/sei_load.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 TS file.

Affected Products

Vendor	Product	Versions
gpac project	mp4box	n/a

References

Related News (2 articles)

Tier C

oss-security1d ago

CVE-2025-60464: NULL Pointer Dereference in GPAC/MP4Box via gf_sei_load_from_state_internal on crafted MPEG-2 TS file

→ No new info (linked only)

Tier C

VulDB2d ago

CVE-2025-60464 | GPAC up to 26.1.x MP4Box /filters/sei_load.c gf_sei_load_from_state_internal use after free (Issue 3278)

→ No new info (linked only)

CVSS 3.17.8 HIGH

VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

62714f27c64a3d1eb7e880f9eed2d38673cb43ce

PublishedJun 25, 2026

Last enriched1d agov3

Trending Score59

Source articles2

Independent2

Info Completeness10/14

Missing: epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2025-60474EXP

CVE-2025-60474: A buffer overflow in the gf_media_import function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allo

Trending: 67

HIGHCVE-2025-60467EXP

CVE-2025-60467: A use-after-free in the gf_filter_pid_inst_swap_delete_task function (/filter_core/filter_pid.c) of GPAC Project/MP4Box

Trending: 60

MEDIUMCVE-2025-60466EXP

CVE-2025-60466: A use-after-free in the gf_filter_pid_get_packet function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.0

Trending: 55

MEDIUMCVE-2025-60465EXP

CVE-2025-60465: A use-after-free in the gf_filter_pid_inst_swap function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02

Trending: 55

MEDIUMCVE-2025-60473EXP

CVE-2025-60473: A NULL pointer dereference in the gf_filter_in_parent_chain function (/filter_core/filter_pid.c) of GPAC Project/MP4Box

Trending: 55

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 25, 2026

Discovered by ZDM

Jun 25, 2026

Updated: description, affectedVersions, severity, exploitAvailable, activelyExploited

Jun 25, 2026

Updated: description, affectedVersions, severity, cvssEstimate, cweIds, patchAvailable

Jun 26, 2026

Actively Exploited

Jun 26, 2026

Exploit Available

Jun 26, 2026

Patch Available

Jun 26, 2026

Version History

Last enriched 1d ago

v3Tier C1d ago

Updated description with more technical detail, changed severity to MEDIUM, updated CVSS to 4.3, added CWE-476, and specified the patch available.

descriptionaffectedVersionsseveritycvssEstimatecweIdspatchAvailable

via oss-security

v2Tier C2d ago

Updated vendor and product information, marked severity as CRITICAL, and noted that an exploit is available and the vulnerability is actively exploited.

descriptionaffectedVersionsseverityexploitAvailableactivelyExploited

via VulDB

v12d ago

Initial creation