CVE-2025-15667
A vulnerability was determined in GPAC up to 2.5-DEV. This vulnerability affects the function gf_isom_nalu_sample_rewrite of the file src/is
CVSS
3.3
Bajo
EPSS
0.1%
p2
KEV
—
Exploit Today
0
0-100
Publicado: 6 jul 2026 · Última mod.: 6 jul 2026 · CWE-119 · CWE-415
0.1%EPSS · 30 días0.1%
2026-07-072026-07-16
A vulnerability was determined in GPAC up to 2.5-DEV. This vulnerability affects the function gf_isom_nalu_sample_rewrite of the file src/isomedia/avc_ext.c of the component MP4Box. This manipulation of the argument nalu_out_bs causes double free. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. Patch name: f29f955f2a3b5e8e507caad3e52319f961bf37bf. To fix this issue, it is recommended to deploy a patch.
- github.comhttps://github.com/TimChan2001/pocs/raw/refs/heads/main/poc-gpac-1
- github.comhttps://github.com/gpac/gpac/
- github.comhttps://github.com/gpac/gpac/commit/f29f955f2a3b5e8e507caad3e52319f961bf37bf
- github.comhttps://github.com/gpac/gpac/issues/3403
- vuldb.comhttps://vuldb.com/cve/CVE-2025-15667
- vuldb.comhttps://vuldb.com/submit/846839
- vuldb.comhttps://vuldb.com/vuln/376292
- vuldb.comhttps://vuldb.com/vuln/376292/cti
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2025-312778.8 ALT71.0%
KEV—71Apple Multiple Products Buffer Overflow Vulnerability2dCVE-2026-239188.8 ALT98.7%
——30Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol.
This issue affects Apache HTTP Server: 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes the issue.2dCVE-2005-445910.0 SIN96.2%
——29Heap-based buffer overflow in the NAT networking components vmnat.exe and vmnet-natd in VMWare Workstation 5.5, GSX Server 3.2, ACE 1.0.1, and Player 1.0 allows remote authenticated attackers, including guests, to execute arbitrary code via crafted (1) EPRT and (2) PORT FTP commands.9dCVE-2011-40454.3 SIN88.5%
——27Buffer overflow in an unspecified ActiveX control in aipgctl.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to cause a denial of service via a crafted HTML document.7dCVE-2025-434338.8 ALT62.4%
——19The issue was addressed with improved memory handling. This issue is fixed in Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. Processing maliciously crafted web content may lead to memory corruption.2dCVE-2026-89259.8 CRÍ61.3%
——18The curl logic that works with SASL authentication could end up cleaning up
the GSASL context *twice* without clearing the pointer in between, making it
`free()` the same pointer twice.9d