CVE-2025-70308
Published: 15 January 2026
Summary
CVE-2025-70308 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Gpac Gpac. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-70308 is an out-of-bounds read vulnerability, classified under CWE-125, affecting the GSF demuxer filter component in GPAC version 2.4.0. Published on 2026-01-15, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue enables attackers to induce a Denial of Service condition by processing a specially crafted .gsf file.
Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Exploitation leads to high-impact disruption of availability, such as application crashes or resource exhaustion, while confidentiality and integrity remain unaffected.
A proof-of-concept exploit is publicly available at https://github.com/zakkanijia/POC/blob/main/gpac_gsf/GPAC_gsf.md. No additional details on patches or mitigation steps from official advisories are provided in the CVE information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2742
Vulnerability details
An out-of-bounds read in the GSF demuxer filter component of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .gsf file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in file parser enables crafted .gsf delivery (T1204.002) that directly triggers application crash/DoS via exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of flaws like the out-of-bounds read in GPAC's GSF demuxer by applying patches or upgrades.
Implements memory protection mechanisms such as address space layout randomization and data execution prevention to mitigate out-of-bounds read vulnerabilities.
Enforces validation of input .gsf files prior to processing by the GPAC demuxer to reject malformed files that trigger the out-of-bounds read.