A heap use-after-free in the dasher_process function (/filters/dasher.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 file.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/60xxx/CVE-2025-60486.json",
"cna_assigner": "mitre"
}"2026-07-09T18:18:32Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-60486.json"
[
{
"id": "CVE-2025-60486-3b557214",
"digest": {
"function_hash": "199193566362182277671567014971897598992",
"length": 27175.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b",
"deprecated": false,
"target": {
"function": "dasher_configure_pid",
"file": "src/filters/dasher.c"
}
},
{
"id": "CVE-2025-60486-44068655",
"digest": {
"line_hashes": [
"18932393730742255432453235775156873288",
"270764964189030152645070470071380676127",
"203278179028737446463915301054632003726",
"26470146062633646409700590501854041123"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b",
"deprecated": false,
"target": {
"file": "applications/mp4box/filedump.c"
}
},
{
"id": "CVE-2025-60486-9537c0f7",
"digest": {
"line_hashes": [
"317538733772543257714868350721726851573",
"137681394362777990054220572964002058179",
"142975858742031049477880172076800051828",
"203598634951213534465747330965941789001",
"163716403421700846906667530234405621781",
"317986557153736425087238008084793996035",
"238519764834600678469054849651481763603",
"93227704173811863791141511083492932459",
"88791466694522139178564174306992216343",
"103019590927704249470899543114139376321",
"77841915592605315089333655969047531240",
"154038803093701615408291907311435998544",
"262975630474639848023276571725028318126",
"280175335559217037197328790295620441384",
"29261712364992840501577639974975309736",
"198518410689237081419018262826185960088",
"261003641882765732018676017977844923181",
"102945830147294261733650850005714985781",
"70196362472973435179664887836685463438",
"98136200847790978478183906301048952944",
"148220903167292014333896411881072894254",
"112743802115215259457116489040444028229",
"314290810626926821994804814259417773724",
"106407875581277610765102174148391597028",
"22108762012841155499484521830349600840",
"7179292035962996126116823087877580176",
"327611018766656538872449455059416753972",
"130656830246720395881826214564943429671",
"54622022950901821246888125045551280937",
"225295717380783183469772857211377099329",
"293423430594466348730012397236555846876",
"42302748561924312812961428263952810263",
"198699169140994778824602578411698069490",
"176949747484912305936256339836182072158"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b",
"deprecated": false,
"target": {
"file": "src/filters/dasher.c"
}
},
{
"id": "CVE-2025-60486-a29bd9f3",
"digest": {
"function_hash": "72938795741503737622083433653794534487",
"length": 2028.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b",
"deprecated": false,
"target": {
"function": "dump_isom_saps",
"file": "applications/mp4box/filedump.c"
}
},
{
"id": "CVE-2025-60486-a5d38257",
"digest": {
"line_hashes": [
"242170403633445511533484490383533956107",
"123559476618757254484850121810495946772",
"274232141822084879926864990161210122112",
"144407673426189294790732282237281067418"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b",
"deprecated": false,
"target": {
"file": "src/isomedia/isom_read.c"
}
},
{
"id": "CVE-2025-60486-a788a807",
"digest": {
"line_hashes": [
"123651366942589291184106866356819776233",
"309068702292035141079474280135500620950",
"146885122247678406655456477415361815509",
"206138803660333225707896228933792087808"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b",
"deprecated": false,
"target": {
"file": "src/compositor/mpeg4_geometry_ifs2d.c"
}
},
{
"id": "CVE-2025-60486-b16f5372",
"digest": {
"function_hash": "312013340158895046591627719361534586937",
"length": 319.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b",
"deprecated": false,
"target": {
"function": "gf_isom_get_esd",
"file": "src/isomedia/isom_read.c"
}
},
{
"id": "CVE-2025-60486-c80451ae",
"digest": {
"function_hash": "14270339333290916441435841127438430668",
"length": 1509.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b",
"deprecated": false,
"target": {
"function": "TraverseIFS2D",
"file": "src/compositor/mpeg4_geometry_ifs2d.c"
}
}
]