Cyber Resilience

CVE-2025-70308

HighPublic PoC

Published: 15 January 2026

Published
15 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0017 38.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70308 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Gpac Gpac. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-70308 is an out-of-bounds read vulnerability, classified under CWE-125, affecting the GSF demuxer filter component in GPAC version 2.4.0. Published on 2026-01-15, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue enables attackers to induce a Denial of Service condition by processing a specially crafted .gsf file.

Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Exploitation leads to high-impact disruption of availability, such as application crashes or resource exhaustion, while confidentiality and integrity remain unaffected.

A proof-of-concept exploit is publicly available at https://github.com/zakkanijia/POC/blob/main/gpac_gsf/GPAC_gsf.md. No additional details on patches or mitigation steps from official advisories are provided in the CVE information.

EU & UK References

Vulnerability details

An out-of-bounds read in the GSF demuxer filter component of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .gsf file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

OOB read in file parser enables crafted .gsf delivery (T1204.002) that directly triggers application crash/DoS via exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-70298Same product: Gpac Gpac
CVE-2025-70307Same product: Gpac Gpac
CVE-2025-70304Same product: Gpac Gpac
CVE-2026-33144Same product: Gpac Gpac
CVE-2024-50664Same product: Gpac Gpac
CVE-2026-27821Same product: Gpac Gpac
CVE-2025-25723Same product: Gpac Gpac
CVE-2026-1418Same product: Gpac Gpac
CVE-2026-33905Shared CWE-125
CVE-2026-35176Shared CWE-125

Affected Assets

gpac
gpac
2.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of flaws like the out-of-bounds read in GPAC's GSF demuxer by applying patches or upgrades.

prevent

Implements memory protection mechanisms such as address space layout randomization and data execution prevention to mitigate out-of-bounds read vulnerabilities.

prevent

Enforces validation of input .gsf files prior to processing by the GPAC demuxer to reject malformed files that trigger the out-of-bounds read.

References