Skip to main content

GPAC CVE-2026-39103

| EUVDEUVD-2026-27349 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-05-05 mitre
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 06, 2026 - 19:22 vuln.today
Analysis Generated
May 06, 2026 - 19:22 vuln.today
CVSS changed
May 06, 2026 - 19:22 NVD
5.5 (MEDIUM)

DescriptionCVE.org

Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svg_attributes.c, svg_parse_strings(), gf_svg_parse_attribute()

AnalysisAI

Heap buffer overflow in GPAC's SVG attribute parser allows local attackers to cause denial of service by providing crafted SVG input that triggers out-of-bounds memory access in the svg_parse_strings() function. The vulnerability requires user interaction (opening a malicious SVG file) and operates with low complexity on local systems. While CVSS score is moderate (5.5) and EPSS probability is very low (0.02%), the issue affects the widely-used multimedia framework's SVG handling and has been confirmed fixed upstream.

Technical ContextAI

GPAC is an open-source multimedia framework that implements ISO/IEC standards for digital media. The vulnerability exists in the SVG attribute parsing subsystem (src/scenegraph/svg_attributes.c), specifically in the svg_parse_strings() function called by gf_svg_parse_attribute(). The root cause is a heap buffer overflow (CWE-122) where pointer arithmetic on the 'sep' variable proceeds without checking for null pointer dereference or end-of-string conditions. The code iterates through separator characters (spaces, commas, semicolons) when parsing SVG string attributes, but fails to validate that the pointer remains valid before dereferencing it. The commit fix adds explicit null pointer checks ('!sep || !sep[0]') before accessing sep[0], preventing out-of-bounds access into heap memory.

RemediationAI

Apply the upstream fix by updating GPAC to a version that includes commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 or later. Users should clone the repository (https://github.com/gpac/gpac) and verify their local commit is at or after the patched version, then rebuild. If immediate patching is not feasible, implement input validation to reject SVG files with malformed attribute strings (specifically those with incomplete separator sequences) before passing them to GPAC's parser, or restrict GPAC SVG file processing to trusted sources only. For automated systems, disable SVG parsing entirely if not required for the application's core functionality. Note that the patch is backward compatible and requires only recompilation; no configuration changes are needed.

Share

CVE-2026-39103 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy