Skip to main content

Gpac CVE-2026-4185

| EUVDEUVD-2026-12241 LOW
Stack-based Buffer Overflow (CWE-121)
2026-03-15 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
CVSS changed
Apr 22, 2026 - 21:37 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 15, 2026 - 19:00 euvd
EUVD-2026-12241
Analysis Generated
Mar 15, 2026 - 19:00 vuln.today
Patch released
Mar 15, 2026 - 19:00 nvd
Patch available
CVE Published
Mar 15, 2026 - 18:32 nvd
MEDIUM 6.3

DescriptionCVE.org

A vulnerability was found in GPAC up to 2.5-DEV-rev2167-gcc9d617c0-master. This vulnerability affects the function swf_def_bits_jpeg of the file src/scene_manager/swf_parse.c of the component MP4Box. The manipulation of the argument szName results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. The patch is identified as 8961c74f87ae3fe2d3352e622f7730ca96d50cf1. A patch should be applied to remediate this issue.

AnalysisAI

Stack-based buffer overflow vulnerability in GPAC's MP4Box component, specifically in the swf_def_bits_jpeg function of src/scene_manager/swf_parse.c, affecting versions up to 2.5-DEV-rev2167. An authenticated attacker can exploit this remotely by manipulating the szName argument to cause a stack overflow, resulting in information disclosure, data modification, or denial of service. A public proof-of-concept exists, and a vendor patch is available; exploitation requires valid credentials (CVSS 6.3 with authenticated access requirement).

Technical ContextAI

GPAC is an open-source multimedia framework used for MP4 and media processing. The vulnerable component MP4Box is a utility for manipulating ISO Base Media Files (MP4, MOV, etc.) and also processes SWF (Shockwave Flash) files. The vulnerability exists in the swf_parse.c module's swf_def_bits_jpeg function, which handles JPEG bitmap definitions within SWF files. The root cause is CWE-121 (Stack-based Buffer Overflow), where insufficient bounds checking on the szName parameter allows an attacker to write beyond allocated stack buffer boundaries. This is typical of unsafe string handling in C-based media parsers. The SWF file format is the attack vector—a specially crafted SWF file embedded in or processed by MP4Box can trigger the overflow.

RemediationAI

Immediate patching is required: Apply commit 8961c74f87ae3fe2d3352e622f7730ca96d50cf1 from the GPAC repository (https://github.com/gpac/gpac/commit/8961c74f87ae3fe2d3352e622f7730ca96d50cf1). Users should update GPAC to a version incorporating this patch (likely 2.5 or later stable release when available). Interim mitigations: (1) Disable SWF file processing in MP4Box if not required; (2) Restrict MP4Box access to trusted input files only; (3) Run MP4Box with minimal privileges and in isolated environments; (4) Implement input validation/sanitization for SWF files before processing; (5) Monitor for suspicious MP4/SWF file processing attempts. Verify patch application by checking the git history or version string post-update.

More in Gpac

View all
CVE-2023-46932 CRITICAL POC
9.8 Dec 09

Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671976fcc-master, allows attackers to execute arbitra

CVE-2023-2840 CRITICAL POC
9.8 May 22

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2. Rated critical severity (CVSS 9.8), this vulnera

CVE-2022-36190 CRITICAL POC
9.8 Aug 17

GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerability in function gf_isom_dovi_config_get. Rated crit

CVE-2022-1795 CRITICAL POC
9.8 May 18

Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2021-28300 CRITICAL POC
9.8 Apr 14

NULL Pointer Dereference in the "isomedia/track.c" module's "MergeTrack()" function of GPAC v0.5.2 allows attackers to e

CVE-2020-11558 CRITICAL POC
9.8 Apr 05

An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. Rated critical severity (CVSS 9.8), this

CVE-2018-13005 CRITICAL POC
9.8 Jun 29

An issue was discovered in MP4Box in GPAC 0.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2023-2838 CRITICAL POC
9.1 May 22

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2. Rated critical severity (CVSS 9.1), this vulnerability

CVE-2023-0841 HIGH POC
8.8 Feb 15

A vulnerability, which was classified as critical, has been found in GPAC 2.3-DEV-rev40-g3602a5ded.c. Rated high severit

CVE-2022-4202 HIGH POC
8.8 Nov 29

A vulnerability, which was classified as problematic, was found in GPAC 2.1-DEV-rev490-g68064e101-master. Rated high sev

CVE-2021-21850 HIGH POC
8.8 Aug 25

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Adv

CVE-2021-21849 HIGH POC
8.8 Aug 25

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Adv

Share

CVE-2026-4185 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy