Gpac

By the Year

In 2026 there have been 24 vulnerabilities in Gpac with an average score of 5.3 out of ten. Last year, in 2025 Gpac had 6 security vulnerabilities published. That is, 18 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.89

Recent Gpac Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-70116	May 27, 2026	GPAC MP4Box NULL Pointer Deref During MP4 stsd Parsing A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV).	Gpac
CVE-2026-9572	May 26, 2026	GPAC <=2.4.0 MP4Box Media_GetSample Local Memory Leak A security vulnerability has been detected in GPAC up to 2.4.0. Affected by this issue is the function Media_GetSample of the file src/isomedia/media.c of the component MP4Box. Such manipulation of the argument cat leads to memory leak. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The name of the patch is e79c5cbe8b3fed27f4854ec229457d30c96206f1. It is best practice to apply a patch to resolve this issue.	Gpac
CVE-2026-9567	May 26, 2026	GPAC <=2.4.0 MP4Box MergeFragment Null Pointer Deref A security flaw has been discovered in GPAC up to 2.4.0. Affected is the function MergeFragment of the file src/isomedia/isom_intern.c of the component MP4Box. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is identified as 525bf1af642c30af04e4df5345e6d798c0a4d8a1. It is advisable to implement a patch to correct this issue.	Gpac
CVE-2026-8124	May 08, 2026	GPAC <=26.02.0 Local Resource Allocation via sidx_box_read in isomedia A security vulnerability has been detected in GPAC up to 26.02.0. This affects the function sidx_box_read of the file src/isomedia/box_code_base.c. The manipulation leads to allocation of resources. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The identifier of the patch is 442e2299530138d8f874fd885c565ba98a6318ba. It is suggested to install a patch to address this issue.	Gpac
CVE-2026-39103	May 05, 2026	GPAC SVG Parser Buffer Overflow (CVE-2026-39103) Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svg_attributes.c, svg_parse_strings(), gf_svg_parse_attribute()	Gpac
CVE-2026-7135	Apr 27, 2026	GPAC 26.03 OOB Read in MP4Box elng_box_read A security flaw has been discovered in GPAC up to 26.03-DEV-rev105-g8f39a1eb3-master. Affected by this vulnerability is the function elng_box_read of the file src/isomedia/box_code_base.c of the component MP4Box. Performing a manipulation of the argument elng results in out-of-bounds read. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is named cf6ac48c972eaaee2af270adc3f36615325deb3e. The affected component should be upgraded.	Gpac
CVE-2026-33144	Mar 20, 2026	Heap Buffer Overflow in GPAC MP4Box via Malicious <BS> Bits GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36.	Gpac
CVE-2026-4185	Mar 15, 2026	GPAC MP4Box swf_def_bits_jpeg Stack Buffer Overflow (pre-2.5-DEV) A vulnerability was found in GPAC up to 2.5-DEV-rev2167-gcc9d617c0-master. This vulnerability affects the function swf_def_bits_jpeg of the file src/scene_manager/swf_parse.c of the component MP4Box. The manipulation of the argument szName results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. The patch is identified as 8961c74f87ae3fe2d3352e622f7730ca96d50cf1. A patch should be applied to remediate this issue.	Gpac
CVE-2026-4016	Mar 12, 2026	GPAC 26.03-DEV SVG Parser OOB Write via svgin_process A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this vulnerability is the function svgin_process of the file src/filters/load_svg.c of the component SVG Parser. The manipulation leads to out-of-bounds write. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The identifier of the patch is 7618d7206cdeb3c28961dc97ab0ecabaff0c8af2. It is suggested to install a patch to address this issue.	Gpac
CVE-2026-4015	Mar 12, 2026	GPAC 26.03-DEV TeXML Parser Stack Buffer Overflow in txtin_process_texml A weakness has been identified in GPAC 26.03-DEV. Affected is the function txtin_process_texml of the file src/filters/load_text.c of the component TeXML File Parser. Executing a manipulation can lead to stack-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. This patch is called d29f6f1ada5cc284cdfa783b6f532c7d8bd049a5. Applying a patch is advised to resolve this issue.	Gpac