Description
A weakness has been identified in GPAC up to 2.4.0. Affected by this issue is the function dump_isom_rtp of the file applications/mp4box/filedump.c. This manipulation causes null pointer dereference. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: f96bd57c3ccdcde4335a0be28cd3e8fe296993de. Applying a patch is the recommended action to fix this issue.
Published: 2026-01-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability is a null pointer dereference in the dump_isom_rtp function of GPAC's filedump module. By manipulating specific input data, a local attacker can trigger the dereference, causing the application to crash. The crash may lead to denial of service for processes that rely on GPAC’s filedump functionality. The weakness is identified as CWE‑476 and CWE‑404, indicating that internal control flow handling and error checking are insufficient.

Affected Systems

GPAC, the media processing and streaming framework, is affected in all releases to and including version 2.4.0. Users running GPAC 2.4.0 or any prior release should verify whether the identified vulnerability exists in their binary and plan an upgrade accordingly.

Risk and Exploitability

The CVSS v3.1 score is 4.8, reflecting a moderate severity due to local exploitation requirements. The EPSS score is below 1%, suggesting a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. However, because the flaw requires only local access, it can be abused by privileged users or through local privilege escalation to cause service disruption. The only known fix is a patch that resolves the null dereference and is recommended for all vulnerable versions.

Generated by OpenCVE AI on April 18, 2026 at 15:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GPAC to the latest release that includes the patch commit f96bd57c3ccdcde4335a0be28cd3e8fe296993de or any version newer than 2.4.0.
  • Restrict local access to the GPAC binaries or to the inputs processed by filedump, ensuring that only trusted users can invoke the vulnerable functionality.
  • Monitor application logs for unexpected termination or stack trace entries that indicate a null pointer dereference and investigate any such events promptly.

Generated by OpenCVE AI on April 18, 2026 at 15:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
References

Wed, 28 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac gpac
Vendors & Products Gpac
Gpac gpac

Mon, 26 Jan 2026 03:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in GPAC up to 2.4.0. Affected by this issue is the function dump_isom_rtp of the file applications/mp4box/filedump.c. This manipulation causes null pointer dereference. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: f96bd57c3ccdcde4335a0be28cd3e8fe296993de. Applying a patch is the recommended action to fix this issue.
Title GPAC filedump.c dump_isom_rtp null pointer dereference
Weaknesses CWE-404
CWE-476
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Gpac Gpac
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:56:11.664Z

Reserved: 2026-01-25T09:56:56.395Z

Link: CVE-2026-1417

cve-icon Vulnrichment

Updated: 2026-01-26T15:22:20.568Z

cve-icon NVD

Status : Modified

Published: 2026-01-26T04:16:10.180

Modified: 2026-02-23T09:16:54.617

Link: CVE-2026-1417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:15:03Z

Weaknesses