Description
Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svg_attributes.c, svg_parse_strings(), gf_svg_parse_attribute()
Published: 2026-05-05
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow occurs in GPAC when parsing SVG attributes, specifically within src/scenegraph/svg_attributes.c and the svg_parse_strings() function that calls gf_svg_parse_attribute(). This buffer overflow (CWE‑122) can be triggered by malformed input, allowing an attacker to cause the program to crash and interrupt service availability. The impact is limited to denial of service without direct compromise of confidentiality or integrity, but repeated crashes could allow an attacker to disrupt operations and force manual intervention or automated reboot cycles.

Affected Systems

Any GPAC installation using a version before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 is vulnerable. No specific vendor or product catalog is listed; the issue applies to the GPAC media framework itself. No explicit version range is provided beyond the reference commit, so all releases prior to that commit are considered at risk.

Risk and Exploitability

The CVSS score is 5.5, and the EPSS score is <1%, so the vulnerability is considered medium severity with low exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed exploitation in the wild as of this report. The attack vector is inferred to be remote if the GPAC engine processes untrusted SVG content received over a network, or local if the attacker can supply crafted SVG files to the system. Exploitation requires the ability to feed malformed SVG into the parser, and thus may be mitigated by controlling input sources.

Generated by OpenCVE AI on May 7, 2026 at 01:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GPAC to commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 or later
  • If an update is unavailable, restrict or disable SVG parsing for untrusted sources until a patch is applied
  • Monitor system logs for repeated crashes or denial‑of‑service patterns that could indicate exploitation

Generated by OpenCVE AI on May 7, 2026 at 01:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Denial-of-Service via Buffer Overflow in GPAC SVG Parsing
Weaknesses CWE-119

Wed, 06 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Gpac
Gpac gpac
Vendors & Products Gpac
Gpac gpac

Tue, 05 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Denial-of-Service via Buffer Overflow in GPAC SVG Parsing
Weaknesses CWE-119

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svg_attributes.c, svg_parse_strings(), gf_svg_parse_attribute()
References

Subscriptions

Gpac Gpac
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-06T18:32:56.447Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-39103

cve-icon Vulnrichment

Updated: 2026-05-06T18:27:56.375Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-05T16:16:12.993

Modified: 2026-05-07T15:15:06.770

Link: CVE-2026-39103

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T01:30:17Z

Weaknesses