Description
A security vulnerability has been detected in GPAC up to 2.4.0. This affects the function gf_text_import_srt_bifs of the file src/scene_manager/text_to_bifs.c of the component SRT Subtitle Import. Such manipulation leads to out-of-bounds write. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 10c73b82cf0e367383d091db38566a0e4fe71772. It is best practice to apply a patch to resolve this issue.
Published: 2026-01-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Apply Patch
AI Analysis

Impact

A critical vulnerability exists in the GPAC multimedia framework's SRT subtitle import routine, specifically the gf_text_import_srt_bifs function in src/scene_manager/text_to_bifs.c. The bug facilitates an out‑of‑bounds write due to improper bounds checking during subtitle data conversion, classified as CWE‑119 and CWE‑787. An attacker with local access can supply a crafted SRT file that triggers the memory corruption, potentially allowing arbitrary code execution or privilege escalation on the host system. The impact is limited to systems running an affected GPAC build and requiring local file manipulation.

Affected Systems

GPAC, versions up to and including 2.4.0 of the GPAC multimedia framework, including any applications that embed GPAC’s subtitle processing component. The issue is tied to the SRT subtitle import feature of the core GPAC library. System administrators should be aware that any binaries compiled against these releases are vulnerable.

Risk and Exploitability

According to the CVSS scoring, this flaw scores 4.8, indicating moderate severity. The EPSS value is below 1 %, suggesting a low likelihood of widespread exploitation as of the last assessment. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires local access to the GPAC installation and the ability to trigger subtitle import with a malicious SRT file. No remote attack vector is documented, so the risk is confined to environments where untrusted SRT input can be processed by a local instance of GPAC.

Generated by OpenCVE AI on April 18, 2026 at 02:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GPAC to a version newer than 2.4.0, such as 2.4.1 or later, where the out-of-bounds write bug has been fixed.
  • If an upgrade is not immediately possible, stop processing or loading SRT subtitle files until the patch is applied, or restrict SRT import to trusted, non-user supplied locations.
  • Apply the specific patch commit 10c73b82cf0e367383d091db38566a0e4fe71772 to the source code and rebuild the GPAC binaries, ensuring the bounds check is restored.

Generated by OpenCVE AI on April 18, 2026 at 02:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
References

Wed, 28 Jan 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac gpac
Vendors & Products Gpac
Gpac gpac

Mon, 26 Jan 2026 04:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in GPAC up to 2.4.0. This affects the function gf_text_import_srt_bifs of the file src/scene_manager/text_to_bifs.c of the component SRT Subtitle Import. Such manipulation leads to out-of-bounds write. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 10c73b82cf0e367383d091db38566a0e4fe71772. It is best practice to apply a patch to resolve this issue.
Title GPAC SRT Subtitle Import text_to_bifs.c gf_text_import_srt_bifs out-of-bounds write
Weaknesses CWE-119
CWE-787
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Gpac Gpac
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:56:25.925Z

Reserved: 2026-01-25T09:58:18.674Z

Link: CVE-2026-1418

cve-icon Vulnrichment

Updated: 2026-01-26T15:16:59.469Z

cve-icon NVD

Status : Modified

Published: 2026-01-26T04:16:10.360

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-1418

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:00:10Z

Weaknesses