Skip to main content

GPAC EUVD-2026-31945

| CVE-2026-9567 LOW
Improper Resource Shutdown or Release (CWE-404)
2026-05-26 cna@vuldb.com GHSA-8h6c-5qr8-7wvp
Denial Of Service
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 08, 2026 - 13:37 vuln.today
Analysis Generated
Jun 08, 2026 - 13:37 vuln.today

DescriptionCVE.org

A security flaw has been discovered in GPAC up to 2.4.0. Affected is the function MergeFragment of the file src/isomedia/isom_intern.c of the component MP4Box. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is identified as 525bf1af642c30af04e4df5345e6d798c0a4d8a1. It is advisable to implement a patch to correct this issue.

AnalysisAI

Null pointer dereference in GPAC's MP4Box tool (versions 2.0 through 2.4.0) allows a local, low-privileged attacker to crash the application by supplying a crafted MP4 file with a malformed Protection System Header Box (PSSH). The vulnerability resides in the MergeFragment function, which fails to validate the private_data pointer before passing it to memmove, resulting in a denial-of-service impact limited to the MP4Box process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local or pipeline access
Delivery
Craft MP4 file with null PSSH private_data
Exploit
Submit file to MP4Box processing
Execution
MergeFragment dereferences null pointer
Impact
MP4Box process crashes (local DoS)
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Local access with at least low-level operating system privileges is required - the CVSS vector (AV:L/PR:L) confirms this is not remotely exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals converge on very low real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with standard (low-privilege) account access submits a crafted MP4 file - constructed to include a PSSH box with a null private_data field or zero private_data_size - to a shared MP4Box processing workflow. When MP4Box's MergeFragment function encounters this box and attempts to call memmove against the null pointer, the process crashes with a segmentation fault, causing a denial of service for any concurrent jobs in that process. …
Remediation Apply the upstream fix committed at https://github.com/makesoftwaresafe/gpac/commit/525bf1af642c30af04e4df5345e6d798c0a4d8a1, which adds a null and size guard around the PSSH private_data copy in MergeFragment. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-31945 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy