A buffer overflow occurs in GPAC when parsing SVG attributes, specifically within src/scenegraph/svg_attributes.c and the svg_parse_strings() function that calls gf_svg_parse_attribute(). The overflow can be triggered by malformed input, allowing an attacker to cause the program to crash and interrupt service availability. The impact is limited to denial of service without direct compromise of confidentiality or integrity, but repeated crashes could allow an attacker to disrupt operations and force manual intervention or automated reboot cycles.

Any GPAC installation using a version before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 is vulnerable. No specific vendor or product catalog is listed; the issue applies to the GPAC media framework itself. No explicit version range is provided beyond the reference commit, so all releases prior to that commit are considered at risk.

The CVSS score is not supplied, and the EPSS score is unavailable, so the precise severity cannot be quantified through these metrics. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed exploitation in the wild as of this report. The attack vector is inferred to be remote if the GPAC engine processes untrusted SVG content received over a network, or local if the attacker can supply crafted SVG files to the system. Exploitation requires the ability to feed malformed SVG into the parser, and thus may be mitigated by controlling input sources.