Skip to main content

GPAC EUVDEUVD-2026-28483

| CVE-2026-8124 LOW
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-08 VulDB GHSA-qvg3-xf4r-fgqm
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 08, 2026 - 02:22 NVD
3.3 (LOW) 1.9 (LOW)
Source Code Evidence Fetched
May 08, 2026 - 02:15 vuln.today
Analysis Generated
May 08, 2026 - 02:15 vuln.today
CVE Published
May 08, 2026 - 01:15 nvd
LOW 3.3

DescriptionCVE.org

A security vulnerability has been detected in GPAC up to 26.02.0. This affects the function sidx_box_read of the file src/isomedia/box_code_base.c. The manipulation leads to allocation of resources. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The identifier of the patch is 442e2299530138d8f874fd885c565ba98a6318ba. It is suggested to install a patch to address this issue.

AnalysisAI

Resource exhaustion in GPAC up to version 26.02.0 allows local attackers with limited privileges to trigger a denial-of-service condition via the sidx_box_read function in src/isomedia/box_code_base.c. The vulnerability stems from improper validation of allocation size parameters when parsing ISO media files, enabling exhaustion of system memory without requiring elevated privileges. Publicly available exploit code exists, and a patch is available from the vendor.

Technical ContextAI

GPAC is a multimedia framework that handles ISO Base Media File Format (ISO/IEC 14496-12) parsing. The vulnerable function sidx_box_read processes the Segment Index Box (sidx) within ISO media containers. The underlying defect is an integer overflow or missing bounds check (CWE-770: Allocation of Resources Without Limits or Throttling) in the calculation of memory required for the GF_SIDXReference array. The affected CPE indicates all versions up to 26.02.0 are vulnerable. The fix adds explicit validation: checking whether the number of references (ptr->nb_refs) exceeds both the available buffer size (ptr->size / 12) and potential integer overflow conditions (SIZE_MAX / sizeof(GF_SIDXReference)) before allocation.

RemediationAI

Vendor-released patch: Update GPAC to the version containing commit 442e2299530138d8f874fd885c565ba98a6318ba (verify the exact patched release version via GitHub releases). For environments unable to upgrade immediately, restrict GPAC's ability to process media files from untrusted sources by implementing OS-level resource limits (ulimit -m to cap virtual memory per process, or cgroup memory.max on Linux systems) to constrain the impact of allocation exhaustion attacks. Monitor GPAC process memory usage and implement automatic process restart on excessive memory consumption. These compensating controls do not eliminate the vulnerability but reduce impact by preventing system-wide memory exhaustion. Advisory references: https://github.com/gpac/gpac/issues/3519 and https://github.com/gpac/gpac/commit/442e2299530138d8f874fd885c565ba98a6318ba.

More in Gpac

View all
CVE-2023-46932 CRITICAL POC
9.8 Dec 09

Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671976fcc-master, allows attackers to execute arbitra

CVE-2023-2840 CRITICAL POC
9.8 May 22

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2. Rated critical severity (CVSS 9.8), this vulnera

CVE-2022-36190 CRITICAL POC
9.8 Aug 17

GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerability in function gf_isom_dovi_config_get. Rated crit

CVE-2022-1795 CRITICAL POC
9.8 May 18

Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2021-28300 CRITICAL POC
9.8 Apr 14

NULL Pointer Dereference in the "isomedia/track.c" module's "MergeTrack()" function of GPAC v0.5.2 allows attackers to e

CVE-2020-11558 CRITICAL POC
9.8 Apr 05

An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. Rated critical severity (CVSS 9.8), this

CVE-2018-13005 CRITICAL POC
9.8 Jun 29

An issue was discovered in MP4Box in GPAC 0.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2023-2838 CRITICAL POC
9.1 May 22

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2. Rated critical severity (CVSS 9.1), this vulnerability

CVE-2023-0841 HIGH POC
8.8 Feb 15

A vulnerability, which was classified as critical, has been found in GPAC 2.3-DEV-rev40-g3602a5ded.c. Rated high severit

CVE-2022-4202 HIGH POC
8.8 Nov 29

A vulnerability, which was classified as problematic, was found in GPAC 2.1-DEV-rev490-g68064e101-master. Rated high sev

CVE-2021-21850 HIGH POC
8.8 Aug 25

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Adv

CVE-2021-21849 HIGH POC
8.8 Aug 25

An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Adv

Share

EUVD-2026-28483 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy