CVE-2025-60486

Source
https://cve.org/CVERecord?id=CVE-2025-60486
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-60486.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-60486
Downstream
Published
2026-06-01T00:00:00Z
Modified
2026-07-09T18:18:32.589899Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

A heap use-after-free in the dasher_process function (/filters/dasher.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 file.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/60xxx/CVE-2025-60486.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/gpac/gpac

Affected ranges

Type
GIT
Repo
https://github.com/gpac/gpac
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "MP4Box"
        },
        {
            "fixed": "26.02.0"
        }
    ]
}

Affected versions

Other
abi-12
abi-13
abi-14
abi-15
abi-16
abi-12.*
abi-12.16
abi-12.17
abi-12.18
abi-12.19
abi-12.20
abi-12.21
abi-12.22
abi-12.23
abi-12.24
abi-12.25
abi-12.26
abi-12.27
abi-13.*
abi-13.0
abi-14.*
abi-14.0
abi-15.*
abi-15.0
abi-15.1
abi-15.2
abi-16.*
abi-16.2
abi-16.3
abi-16.4
abi-16.5
testtag0.*
testtag0.1
v0.*
v0.5.2
v0.6.0
v0.9.0
v0.9.0-preview
v1.*
v1.0.0
v2.*
v2.0.0
v2.2.0

Database specific

vanir_signatures_modified
"2026-07-09T18:18:32Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-60486.json"
vanir_signatures
[
    {
        "id": "CVE-2025-60486-3b557214",
        "digest": {
            "function_hash": "199193566362182277671567014971897598992",
            "length": 27175.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b",
        "deprecated": false,
        "target": {
            "function": "dasher_configure_pid",
            "file": "src/filters/dasher.c"
        }
    },
    {
        "id": "CVE-2025-60486-44068655",
        "digest": {
            "line_hashes": [
                "18932393730742255432453235775156873288",
                "270764964189030152645070470071380676127",
                "203278179028737446463915301054632003726",
                "26470146062633646409700590501854041123"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b",
        "deprecated": false,
        "target": {
            "file": "applications/mp4box/filedump.c"
        }
    },
    {
        "id": "CVE-2025-60486-9537c0f7",
        "digest": {
            "line_hashes": [
                "317538733772543257714868350721726851573",
                "137681394362777990054220572964002058179",
                "142975858742031049477880172076800051828",
                "203598634951213534465747330965941789001",
                "163716403421700846906667530234405621781",
                "317986557153736425087238008084793996035",
                "238519764834600678469054849651481763603",
                "93227704173811863791141511083492932459",
                "88791466694522139178564174306992216343",
                "103019590927704249470899543114139376321",
                "77841915592605315089333655969047531240",
                "154038803093701615408291907311435998544",
                "262975630474639848023276571725028318126",
                "280175335559217037197328790295620441384",
                "29261712364992840501577639974975309736",
                "198518410689237081419018262826185960088",
                "261003641882765732018676017977844923181",
                "102945830147294261733650850005714985781",
                "70196362472973435179664887836685463438",
                "98136200847790978478183906301048952944",
                "148220903167292014333896411881072894254",
                "112743802115215259457116489040444028229",
                "314290810626926821994804814259417773724",
                "106407875581277610765102174148391597028",
                "22108762012841155499484521830349600840",
                "7179292035962996126116823087877580176",
                "327611018766656538872449455059416753972",
                "130656830246720395881826214564943429671",
                "54622022950901821246888125045551280937",
                "225295717380783183469772857211377099329",
                "293423430594466348730012397236555846876",
                "42302748561924312812961428263952810263",
                "198699169140994778824602578411698069490",
                "176949747484912305936256339836182072158"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b",
        "deprecated": false,
        "target": {
            "file": "src/filters/dasher.c"
        }
    },
    {
        "id": "CVE-2025-60486-a29bd9f3",
        "digest": {
            "function_hash": "72938795741503737622083433653794534487",
            "length": 2028.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b",
        "deprecated": false,
        "target": {
            "function": "dump_isom_saps",
            "file": "applications/mp4box/filedump.c"
        }
    },
    {
        "id": "CVE-2025-60486-a5d38257",
        "digest": {
            "line_hashes": [
                "242170403633445511533484490383533956107",
                "123559476618757254484850121810495946772",
                "274232141822084879926864990161210122112",
                "144407673426189294790732282237281067418"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b",
        "deprecated": false,
        "target": {
            "file": "src/isomedia/isom_read.c"
        }
    },
    {
        "id": "CVE-2025-60486-a788a807",
        "digest": {
            "line_hashes": [
                "123651366942589291184106866356819776233",
                "309068702292035141079474280135500620950",
                "146885122247678406655456477415361815509",
                "206138803660333225707896228933792087808"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b",
        "deprecated": false,
        "target": {
            "file": "src/compositor/mpeg4_geometry_ifs2d.c"
        }
    },
    {
        "id": "CVE-2025-60486-b16f5372",
        "digest": {
            "function_hash": "312013340158895046591627719361534586937",
            "length": 319.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b",
        "deprecated": false,
        "target": {
            "function": "gf_isom_get_esd",
            "file": "src/isomedia/isom_read.c"
        }
    },
    {
        "id": "CVE-2025-60486-c80451ae",
        "digest": {
            "function_hash": "14270339333290916441435841127438430668",
            "length": 1509.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b",
        "deprecated": false,
        "target": {
            "function": "TraverseIFS2D",
            "file": "src/compositor/mpeg4_geometry_ifs2d.c"
        }
    }
]