Is there a public PoC exploit available for EUVD-2026-31955?

Yes, a public proof-of-concept exploit is available for EUVD-2026-31955. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for EUVD-2026-31955?

Yes, a patch is available for EUVD-2026-31955. Update the affected software to the latest version immediately.

GPAC MP4Box EUVD-2026-31955

Q: What is the CVSS score of EUVD-2026-31955?

EUVD-2026-31955 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-9572 LOW

Memory Leak (CWE-401)

2026-05-26 VulDB

GHSA-77xc-cwff-62wp

Information Disclosure Gpac

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

Jun 08, 2026 - 13:38 vuln.today

Analysis Generated

Jun 08, 2026 - 13:38 vuln.today

CVSS changed

May 26, 2026 - 19:22 NVD

3.3 (LOW) 1.9 (LOW)

DescriptionCVE.org

A security vulnerability has been detected in GPAC up to 2.4.0. Affected by this issue is the function Media_GetSample of the file src/isomedia/media.c of the component MP4Box. Such manipulation of the argument cat leads to memory leak. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The name of the patch is e79c5cbe8b3fed27f4854ec229457d30c96206f1. It is best practice to apply a patch to resolve this issue.

AnalysisAI

Memory leak in GPAC MP4Box up to version 2.4.0 allows a local, low-privileged attacker to exhaust process memory by supplying a crafted MP4 file that triggers the vulnerable Media_GetSample function in src/isomedia/media.c. The root cause is a missing zero-size guard before memory allocation when the cat argument is manipulated to produce a zero-sum of data_size and padding_bytes. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain low-privilege local account

Delivery

Craft MP4 with zero-sum data_size/padding_bytes

Exploit

Invoke MP4Box on crafted file

Execution

Trigger unguarded zero-size allocation in Media_GetSample

Persist

Leak heap memory on each sample read

Impact

Degrade process availability

Access

Obtain low-privilege local account

Delivery

Craft MP4 with zero-sum data_size/padding_bytes

Exploit

Invoke MP4Box on crafted file

Execution

Trigger unguarded zero-size allocation in Media_GetSample

Persist

Leak heap memory on each sample read

Impact

Degrade process availability

Vulnerability AssessmentAI

Exploitation	Local execution environment is required - the CVSS vector specifies AV:L, meaning this vulnerability is not remotely exploitable under any configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	All available signals converge on very low real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A local attacker with standard user-level privileges crafts a malicious MP4 file in which the `cat` argument manipulation causes `data_size + padding_bytes` to resolve to zero during sample retrieval by `Media_GetSample`. When a victim or automated pipeline processes this file with MP4Box, the degenerate allocation path is triggered repeatedly, leaking memory until the process degrades or terminates. …
Remediation	The upstream fix is available as commit e79c5cbe8b3fed27f4854ec229457d30c96206f1 on the GPAC GitHub repository (https://github.com/gpac/gpac/commit/e79c5cbe8b3fed27f4854ec229457d30c96206f1). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2025-55642 MEDIUM This Month

6.5 Jun 13

Divide-by-zero in GPAC's MP4Box AVI demuxer crashes the process when handling crafted media files with zero-declared fra

CVE-2025-55648 MEDIUM This Month

5.5 Jun 13

Heap-based buffer overflow in GPAC MP4Box (all versions prior to fix commit 61bbfd2e89553373ba3449b8ec05b5f098d732a5) al

CVE-2025-55649 MEDIUM This Month

5.5 Jun 13

NULL pointer dereference in GPAC's MP4Box fragmentation pipeline allows unauthenticated remote attackers to crash the ap

CVE-2025-55641 MEDIUM This Month

5.5 Jun 13

NULL pointer dereference in GPAC's MP4Box crashes the application when importing a crafted MP4 file containing corrupted

CVE-2025-55644 MEDIUM This Month

5.5 Jun 13

Use-after-free memory corruption in GPAC's MP4Box triggers via gf_node_get_tag when parsing a crafted MP4 file containin

EUVD-2026-31955 vulnerability details – vuln.today

Back

GPAC MP4Box EUVD-2026-31955

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

More from same product – last 7 days

Share

External POC / Exploit Code