Description
GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36.
Published: 2026-03-20
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap Buffer Overflow
Action: Patch
AI Analysis

Impact

A heap‑based buffer overflow occurs in the GPAC MP4Box utility when it parses an NHML file containing malicious <BS> elements. The flaw stems from the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c, where an out‑of‑bounds write can corrupt memory on the heap. The CVE description does not assert arbitrary code execution; it indicates that such corruption could result in memory corruption or a process crash.

Affected Systems

GPAC is the affected vendor and MP4Box is the relevant component. All releases of GPAC prior to the inclusion of commit 86b0e36e are vulnerable. Users who have not incorporated this commit, regardless of source, remain exposed.

Risk and Exploitability

The CVSS score of 5.8 reflects moderate severity, and an EPSS score of less than 1 % implies a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would require an attacker to supply a specially crafted NHML file to a running MP4Box instance, triggering the overflow during parsing.

Generated by OpenCVE AI on April 14, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch that includes commit 86b0e36
  • If patching is not possible, avoid processing NHML files from untrusted sources or restrict file permissions to limit exposure
  • Check the vendor's website or repository for future updates or additional patches

Generated by OpenCVE AI on April 14, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac gpac
Vendors & Products Gpac
Gpac gpac

Fri, 20 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36.
Title GPAC MP4Box Heap Buffer Overflow Write in gf_xml_parse_bit_sequence_bs (NHML BS Parsing)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H'}

Subscriptions

Gpac Gpac
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T21:22:31.163Z

Reserved: 2026-03-17T20:35:49.929Z

Link: CVE-2026-33144

cve-icon Vulnrichment

Updated: 2026-03-20T21:20:54.031Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T21:17:15.077

Modified: 2026-04-14T18:21:42.587

Link: CVE-2026-33144

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses