Cyber Resilience

CVE-2025-70298

HighPublic PoC

Published: 15 January 2026

Published
15 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS Score 0.0039 31.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-70298 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Gpac Gpac. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-70298 affects GPAC version 2.4.0, an open-source multimedia framework, and involves an out-of-bounds read vulnerability in the oggdmx_parse_tags function within its OGG demuxer component. Classified under CWE-125 (Out-of-bounds Read), the issue was published on 2026-01-15 and carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H), indicating high severity due to its potential for remote exploitation with significant availability impact.

The vulnerability can be exploited by any unauthenticated remote attacker requiring no user interaction or privileges, targeting systems processing untrusted OGG files with GPAC. Attackers can achieve a high-impact denial of service, such as crashing the application, alongside limited disclosure of sensitive information from memory adjacent to the affected buffer.

A proof-of-concept demonstrating the off-by-one out-of-bounds read is publicly available at https://github.com/zakkanijia/POC/blob/main/dmx_ogg/GPAC_oggdmx_parse_tags_offbyone.md. No official advisories or patches are referenced in the available information.

EU & UK References

Vulnerability details

GPAC v2.4.0 was discovered to contain an out-of-bounds read in the oggdmx_parse_tags function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Out-of-bounds read in media demuxer enables remote client-side exploitation via malicious OGG file (T1203) and targeted application DoS via memory corruption (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-70308Same product: Gpac Gpac
CVE-2025-70304Same product: Gpac Gpac
CVE-2025-70307Same product: Gpac Gpac
CVE-2025-25723Same product: Gpac Gpac
CVE-2024-50664Same product: Gpac Gpac
CVE-2026-27821Same product: Gpac Gpac
CVE-2026-33144Same product: Gpac Gpac
CVE-2026-1418Same product: Gpac Gpac
CVE-2026-33096Shared CWE-125
CVE-2026-22023Shared CWE-125

Affected Assets

gpac
gpac
2.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the out-of-bounds read flaw in GPAC's oggdmx_parse_tags function directly eliminates the vulnerability to malicious OGG files.

prevent

Validating OGG file inputs and tag structures before parsing prevents out-of-bounds reads from malformed data.

prevent

Memory protection mechanisms like ASLR and DEP mitigate exploitation of the out-of-bounds read for crashes or info disclosure.

References