Gpac

By the Year

In 2026 there have been 18 vulnerabilities in Gpac with an average score of 5.7 out of ten. Last year, in 2025 Gpac had 6 security vulnerabilities published. That is, 12 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.49

Recent Gpac Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-33144	Mar 20, 2026	Heap Buffer Overflow in GPAC MP4Box via Malicious <BS> Bits GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36.	Gpac
CVE-2026-4185	Mar 15, 2026	GPAC MP4Box swf_def_bits_jpeg Stack Buffer Overflow (pre-2.5-DEV) A vulnerability was found in GPAC up to 2.5-DEV-rev2167-gcc9d617c0-master. This vulnerability affects the function swf_def_bits_jpeg of the file src/scene_manager/swf_parse.c of the component MP4Box. The manipulation of the argument szName results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. The patch is identified as 8961c74f87ae3fe2d3352e622f7730ca96d50cf1. A patch should be applied to remediate this issue.	Gpac
CVE-2026-4016	Mar 12, 2026	GPAC 26.03-DEV SVG Parser OOB Write via svgin_process A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this vulnerability is the function svgin_process of the file src/filters/load_svg.c of the component SVG Parser. The manipulation leads to out-of-bounds write. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The identifier of the patch is 7618d7206cdeb3c28961dc97ab0ecabaff0c8af2. It is suggested to install a patch to address this issue.	Gpac
CVE-2026-4015	Mar 12, 2026	GPAC 26.03-DEV TeXML Parser Stack Buffer Overflow in txtin_process_texml A weakness has been identified in GPAC 26.03-DEV. Affected is the function txtin_process_texml of the file src/filters/load_text.c of the component TeXML File Parser. Executing a manipulation can lead to stack-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. This patch is called d29f6f1ada5cc284cdfa783b6f532c7d8bd049a5. Applying a patch is advised to resolve this issue.	Gpac
CVE-2026-27821	Feb 26, 2026	GPAC 26.02.0 NHML stack buffer overflow in dmx_nhml.c via strcpy GPAC is an open-source multimedia framework. In versions up to and including 26.02.0, a stack buffer overflow occurs during NHML file parsing in `src/filters/dmx_nhml.c`. The value of the xmlHeaderEnd XML attribute is copied from att->value into szXmlHeaderEnd[1000] using strcpy() without any length validation. If the input exceeds 1000 bytes, it overwrites beyond the stack buffer boundary. Commit 9bd7137fded2db40de61a2cf3045812c8741ec52 patches the issue.	Gpac
CVE-2026-1418	Jan 26, 2026	GPAC < 2.4.1: OOB Write in SRT Subtitle Import A security vulnerability has been detected in GPAC up to 2.4.0. This affects the function gf_text_import_srt_bifs of the file src/scene_manager/text_to_bifs.c of the component SRT Subtitle Import. Such manipulation leads to out-of-bounds write. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 10c73b82cf0e367383d091db38566a0e4fe71772. It is best practice to apply a patch to resolve this issue.	Gpac
CVE-2026-1417	Jan 26, 2026	GPAC 2.x Null Pointer Deref in dump_isom_rtp (local) A weakness has been identified in GPAC up to 2.4.0. Affected by this issue is the function dump_isom_rtp of the file applications/mp4box/filedump.c. This manipulation causes null pointer dereference. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: f96bd57c3ccdcde4335a0be28cd3e8fe296993de. Applying a patch is the recommended action to fix this issue.	Gpac
CVE-2026-1416	Jan 26, 2026	GPAC Local Null Pointer Deref in DumpMovieInfo (2.4.0) A security flaw has been discovered in GPAC up to 2.4.0. Affected by this vulnerability is the function DumpMovieInfo of the file applications/mp4box/filedump.c. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as d45c264c20addf0c1cc05124ede33f8ffa800e68. It is advisable to implement a patch to correct this issue.	Gpac
CVE-2026-1415	Jan 26, 2026	GPAC 2.0-2.4.0 Null Pointer Deref in gf_media_export_webvtt_metadata A vulnerability was identified in GPAC up to 2.4.0. Affected is the function gf_media_export_webvtt_metadata of the file src/media_tools/media_export.c. The manipulation of the argument Name leads to null pointer dereference. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is af951b892dfbaaa38336ba2eba6d6a42c25810fd. To fix this issue, it is recommended to deploy a patch.	Gpac
CVE-2025-70302	Jan 15, 2026	Heap Overflow in GPAC v2.4.0 Ghi_dmx Declare Opid Bin Causing DoS A heap overflow in the ghi_dmx_declare_opid_bin() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.	Gpac