Description
A security vulnerability has been detected in GPAC 26.03-DEV-rev342-g80071f700-master. The impacted element is the function txtin_probe_duration of the file src/filters/load_text.c of the component TeXML File Handler. Such manipulation of the argument txml_timescale leads to divide by zero. An attack has to be approached locally. The name of the patch is 86a5191f2e750c767253e27ed6cfd6d547afebc2. A patch should be applied to remediate this issue.
Published: 2026-07-06
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the GPAC TeXML File Handler’s txtin_probe_duration function. An attacker controlling the txml_timescale argument can cause a divide by zero error, leading to a crash of the GPAC process. The resulting denial of service disrupts local functionality of the application that processes TeXML files. The weakness is a classic divide‑by‑zero flaw (CWE‑369) and also highlights a lack of proper error handling (CWE‑404).

Affected Systems

The affected software is GPAC, specifically version 26.03‑DEV‑rev342‑g80071f700-master. No additional vendors or product lines are listed. The issue is confined to the load_text.c component that handles TeXML files. Systems running this GPAC build for processing TeXML content are impacted.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. The EPSS score is below 1 %, implying that exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is local, meaning that an attacker must have access to the host to supply a malicious TeXML file. The exploit would simply trigger a crash, causing a denial of service for the user or service performing the load. No active exploits are documented, and the low EPSS suggests current risk is limited, but the vulnerability could be leveraged by privileged users or automation scripts that manipulate TeXML content.

Generated by OpenCVE AI on July 6, 2026 at 17:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch referenced by commit 86a5191f2e750c767253e27ed6cfd6d547afebc2 to update GPAC to a fixed build.
  • Rebuild or reinstall GPAC from the updated source if customized binaries are used, ensuring the firmware or container images contain the latest change.
  • Regenerate any dependent components or services that load TeXML files, and verify that the application no longer crashes when processing files with a timescale of zero.
  • Monitor application logs for unexpected termination events after applying the patch to confirm remediation effectiveness.

Generated by OpenCVE AI on July 6, 2026 at 17:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 07:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in GPAC 26.03-DEV-rev342-g80071f700-master. The impacted element is the function txtin_probe_duration of the file src/filters/load_text.c of the component TeXML File Handler. Such manipulation of the argument txml_timescale leads to divide by zero. An attack has to be approached locally. The name of the patch is 86a5191f2e750c767253e27ed6cfd6d547afebc2. A patch should be applied to remediate this issue.
Title GPAC TeXML File load_text.c txtin_probe_duration divide by zero
First Time appeared Gpac
Gpac gpac
Weaknesses CWE-369
CWE-404
CPEs cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*
Vendors & Products Gpac
Gpac gpac
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-06T12:52:53.879Z

Reserved: 2026-07-05T19:08:37.569Z

Link: CVE-2026-14801

cve-icon Vulnrichment

Updated: 2026-07-06T12:52:38.679Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:15:16Z

Weaknesses
  • CWE-369

    Divide By Zero

  • CWE-404

    Improper Resource Shutdown or Release