Description
A weakness has been identified in GPAC up to 26.02.0. This affects an unknown part of the file src/utils/base_encoding.c of the component ISOBMFF Parser. Executing a manipulation can lead to highly compressed data. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. This patch is called 297f2d8d1f493d8b241330533cd47f7da758aeb3. A patch should be applied to remediate this issue. The vendor confirms: "We added a check on inflate output size, if it surpasses 32 times the input size we stop in error. This value could be adjusted later."
Published: 2026-06-29
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The weakness resides in an unspecified section of base_encoding.c in GPAC’s ISOBMFF parser. An attacker can supply a crafted media file that causes the inflater to produce data up to 32 times larger than the input, leading to excessive memory or CPU consumption. Because the vulnerability is triggered only during local execution of the gpac binary, any user who can run gpac or supply a media stream can use this flaw to incapacitate the host. The flaw represents a resource exhaustion problem tied to improper size handling (CWE‑404 and CWE‑409).

Affected Systems

GPAC, specifically the ISOBMFF parser component included in the gpac binary. All releases up to and including version 26.02.0 are affected. The issue has been addressed by the vendor in a patch that introduces a size check for inflated output that aborts when the size would exceed 32 times the input.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. EPSS data is not available and the exploit is not listed in CISA’s KEV catalog, but a public exploit is known. Because the attack requires only local execution, the risk is limited to users with local access to the gpac process. A breach would mainly lead to a denial‑of‑service condition rather than a full compromise. Monitoring and containment remain advised until the patch is installed.

Generated by OpenCVE AI on June 29, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch commit 297f2d8d1f493d8b241330533cd47f7da758aeb3, which adds a size limit check for inflated output, or upgrade GPAC to a release that incorporates the fix.
  • If an upgrade is not possible, rebuild the gpac source with the patch applied.
  • Restrict local execution of the gpac binary to trusted users or run it inside a container with resource limits to mitigate denial‑of‑service activity.
  • Monitor memory and CPU usage during media file processing to detect abnormal spikes early.

Generated by OpenCVE AI on June 29, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in GPAC up to 26.02.0. This affects an unknown part of the file src/utils/base_encoding.c of the component ISOBMFF Parser. Executing a manipulation can lead to highly compressed data. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. This patch is called 297f2d8d1f493d8b241330533cd47f7da758aeb3. A patch should be applied to remediate this issue. The vendor confirms: "We added a check on inflate output size, if it surpasses 32 times the input size we stop in error. This value could be adjusted later."
Title GPAC ISOBMFF base_encoding.c data amplification
First Time appeared Gpac
Gpac gpac
Weaknesses CWE-404
CWE-409
CPEs cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*
Vendors & Products Gpac
Gpac gpac
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Gpac Gpac
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T01:30:08.539Z

Reserved: 2026-06-28T07:47:20.977Z

Link: CVE-2026-13523

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T04:00:05Z

Weaknesses
  • CWE-404

    Improper Resource Shutdown or Release

  • CWE-409

    Improper Handling of Highly Compressed Data (Data Amplification)