Gpac

By the Year

In 2026 there have been 21 vulnerabilities in Gpac with an average score of 5.6 out of ten. Last year, in 2025 Gpac had 6 security vulnerabilities published. That is, 15 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.64

Recent Gpac Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-8124	May 08, 2026	GPAC <=26.02.0 Local Resource Allocation via sidx_box_read in isomedia A security vulnerability has been detected in GPAC up to 26.02.0. This affects the function sidx_box_read of the file src/isomedia/box_code_base.c. The manipulation leads to allocation of resources. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The identifier of the patch is 442e2299530138d8f874fd885c565ba98a6318ba. It is suggested to install a patch to address this issue.	Gpac
CVE-2026-39103	May 05, 2026	GPAC SVG Parser Buffer Overflow (CVE-2026-39103) Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svg_attributes.c, svg_parse_strings(), gf_svg_parse_attribute()	Gpac
CVE-2026-7135	Apr 27, 2026	GPAC 26.03 OOB Read in MP4Box elng_box_read A security flaw has been discovered in GPAC up to 26.03-DEV-rev105-g8f39a1eb3-master. Affected by this vulnerability is the function elng_box_read of the file src/isomedia/box_code_base.c of the component MP4Box. Performing a manipulation of the argument elng results in out-of-bounds read. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is named cf6ac48c972eaaee2af270adc3f36615325deb3e. The affected component should be upgraded.	Gpac
CVE-2026-33144	Mar 20, 2026	Heap Buffer Overflow in GPAC MP4Box via Malicious <BS> Bits GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36.	Gpac
CVE-2026-4185	Mar 15, 2026	GPAC MP4Box swf_def_bits_jpeg Stack Buffer Overflow (pre-2.5-DEV) A vulnerability was found in GPAC up to 2.5-DEV-rev2167-gcc9d617c0-master. This vulnerability affects the function swf_def_bits_jpeg of the file src/scene_manager/swf_parse.c of the component MP4Box. The manipulation of the argument szName results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. The patch is identified as 8961c74f87ae3fe2d3352e622f7730ca96d50cf1. A patch should be applied to remediate this issue.	Gpac
CVE-2026-4016	Mar 12, 2026	GPAC 26.03-DEV SVG Parser OOB Write via svgin_process A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this vulnerability is the function svgin_process of the file src/filters/load_svg.c of the component SVG Parser. The manipulation leads to out-of-bounds write. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The identifier of the patch is 7618d7206cdeb3c28961dc97ab0ecabaff0c8af2. It is suggested to install a patch to address this issue.	Gpac
CVE-2026-4015	Mar 12, 2026	GPAC 26.03-DEV TeXML Parser Stack Buffer Overflow in txtin_process_texml A weakness has been identified in GPAC 26.03-DEV. Affected is the function txtin_process_texml of the file src/filters/load_text.c of the component TeXML File Parser. Executing a manipulation can lead to stack-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. This patch is called d29f6f1ada5cc284cdfa783b6f532c7d8bd049a5. Applying a patch is advised to resolve this issue.	Gpac
CVE-2026-27821	Feb 26, 2026	GPAC 26.02.0 NHML stack buffer overflow in dmx_nhml.c via strcpy GPAC is an open-source multimedia framework. In versions up to and including 26.02.0, a stack buffer overflow occurs during NHML file parsing in `src/filters/dmx_nhml.c`. The value of the xmlHeaderEnd XML attribute is copied from att->value into szXmlHeaderEnd[1000] using strcpy() without any length validation. If the input exceeds 1000 bytes, it overwrites beyond the stack buffer boundary. Commit 9bd7137fded2db40de61a2cf3045812c8741ec52 patches the issue.	Gpac
CVE-2026-1418	Jan 26, 2026	GPAC < 2.4.1: OOB Write in SRT Subtitle Import A security vulnerability has been detected in GPAC up to 2.4.0. This affects the function gf_text_import_srt_bifs of the file src/scene_manager/text_to_bifs.c of the component SRT Subtitle Import. Such manipulation leads to out-of-bounds write. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 10c73b82cf0e367383d091db38566a0e4fe71772. It is best practice to apply a patch to resolve this issue.	Gpac
CVE-2026-1417	Jan 26, 2026	GPAC 2.x Null Pointer Deref in dump_isom_rtp (local) A weakness has been identified in GPAC up to 2.4.0. Affected by this issue is the function dump_isom_rtp of the file applications/mp4box/filedump.c. This manipulation causes null pointer dereference. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: f96bd57c3ccdcde4335a0be28cd3e8fe296993de. Applying a patch is the recommended action to fix this issue.	Gpac