CVE-2025-70304 – A buffer overflow vulnerability in GPAC's vobsu... (How to Fix)

Q: What is the severity of CVE-2025-70304?

CVE-2025-70304 has a CVSS score of 7.5 (HIGH). A buffer overflow vulnerability in GPAC's vobsub_get_subpic_duration() function allows attackers to cause denial of service by sending specially crafted packets. This affects systems running GPAC v2.4.0 that process VobSub subtitle files. Attackers can crash the application but not execute arbitrary code.

📋 TL;DR

A buffer overflow vulnerability in GPAC's vobsub_get_subpic_duration() function allows attackers to cause denial of service by sending specially crafted packets. This affects systems running GPAC v2.4.0 that process VobSub subtitle files. Attackers can crash the application but not execute arbitrary code.

💻 Affected Systems

Products:

GPAC (Multimedia Framework)

Versions: v2.4.0

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems that process VobSub subtitle files through GPAC's subtitle handling functionality.

📦 What is this software?

Gpac by Gpac

View all CVEs affecting Gpac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to denial of service for all GPAC-dependent services, potentially disrupting media processing workflows.

🟠

Likely Case

Application crash when processing malicious VobSub subtitle files, causing temporary service disruption until restart.

🟢

If Mitigated

Application crash contained within isolated process, minimal impact with proper monitoring and restart mechanisms.

🌐 Internet-Facing: MEDIUM - Requires processing of attacker-controlled subtitle files, which could be delivered via web services or media sharing platforms.

🏢 Internal Only: LOW - Typically requires local file processing or internal media workflows to trigger.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available on GitHub demonstrates reliable DoS. Exploit requires delivering malicious subtitle file to vulnerable system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.4.1 or later

Vendor Advisory: https://github.com/gpac/gpac/security/advisories

Restart Required: Yes

Instructions:

1. Download latest GPAC release from official repository. 2. Compile and install following build instructions. 3. Restart all GPAC-dependent services.

🔧 Temporary Workarounds

Disable VobSub Processing

all

Configure GPAC to skip or disable VobSub subtitle processing

gpac -no-vobsub

Input Validation Filter

all

Implement file validation to reject suspicious VobSub files before processing

🧯 If You Can't Patch

Isolate GPAC processing to dedicated containers/VMs with resource limits
Implement strict file upload controls and scan all subtitle files before processing

🔍 How to Verify

Check if Vulnerable:

Check GPAC version: gpac -version. If output shows 2.4.0, system is vulnerable.

Check Version:

gpac -version 2>&1 | head -1

Verify Fix Applied:

After update, verify version shows 2.4.1 or later and test with known malicious VobSub file.

📡 Detection & Monitoring

Log Indicators:

GPAC segmentation fault logs
Application crash reports with vobsub_get_subpic_duration in stack trace
Abnormal process termination

Network Indicators:

Unusual VobSub file transfers to media servers
Multiple failed subtitle processing attempts

SIEM Query:

process_name:"gpac" AND (event_type:"crash" OR exit_code:139) AND stack_trace:"vobsub_get_subpic_duration"

📊 Metadata

CVE ID: CVE-2025-70304

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-121

EPSS Score: 0.03% exploit probability (8.2th percentile)

Published: January 15, 2026

Last Updated: January 23, 2026

🔗 References

https://github.com/zakkanijia/POC/blob/main/gpac_vobsub/GPAC_vobsub.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-70304, you might also want to check these: