Cyber Posture

CVE-2025-70298

HighPublic PoC

Published: 15 January 2026

Published
15 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS Score 0.0002 6.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70298 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Gpac Gpac. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Remediating the out-of-bounds read flaw in GPAC's oggdmx_parse_tags function directly eliminates the vulnerability to malicious OGG files.

SI-10 Information Input Validation good match
prevent

Validating OGG file inputs and tag structures before parsing prevents out-of-bounds reads from malformed data.

SI-16 Memory Protection good match
prevent

Memory protection mechanisms like ASLR and DEP mitigate exploitation of the out-of-bounds read for crashes or info disclosure.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Out-of-bounds read in media demuxer enables remote client-side exploitation via malicious OGG file (T1203) and targeted application DoS via memory corruption (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

GPAC v2.4.0 was discovered to contain an out-of-bounds read in the oggdmx_parse_tags function.

Deeper analysisAI

CVE-2025-70298 affects GPAC version 2.4.0, an open-source multimedia framework, and involves an out-of-bounds read vulnerability in the oggdmx_parse_tags function within its OGG demuxer component. Classified under CWE-125 (Out-of-bounds Read), the issue was published on 2026-01-15 and carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H), indicating high severity due to its potential for remote exploitation with significant availability impact.

The vulnerability can be exploited by any unauthenticated remote attacker requiring no user interaction or privileges, targeting systems processing untrusted OGG files with GPAC. Attackers can achieve a high-impact denial of service, such as crashing the application, alongside limited disclosure of sensitive information from memory adjacent to the affected buffer.

A proof-of-concept demonstrating the off-by-one out-of-bounds read is publicly available at https://github.com/zakkanijia/POC/blob/main/dmx_ogg/GPAC_oggdmx_parse_tags_offbyone.md. No official advisories or patches are referenced in the available information.

Details

CWE(s)
CWE-125

Affected Products

gpac
gpac
2.4.0

CVEs Like This One

CVE-2025-70308Same product: Gpac Gpac
CVE-2025-70307Same product: Gpac Gpac
CVE-2025-70304Same product: Gpac Gpac
CVE-2025-25723Same product: Gpac Gpac
CVE-2026-27821Same product: Gpac Gpac
CVE-2024-50664Same product: Gpac Gpac
CVE-2026-33144Same product: Gpac Gpac
CVE-2026-1418Same product: Gpac Gpac
CVE-2025-0612Shared CWE-125
CVE-2026-25942Shared CWE-125

References