CVE-2026-4016 - Vulnerability Details

- GPAC SVG Parser load_svg.c svgin_process out-of-bounds write

Description

A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this vulnerability is the function svgin_process of the file src/filters/load_svg.c of the component SVG Parser. The manipulation leads to out-of-bounds write. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The identifier of the patch is 7618d7206cdeb3c28961dc97ab0ecabaff0c8af2. It is suggested to install a patch to address this issue.

Published: 2026-03-12

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an out-of-bounds write in the function svgin_process of GPAC's SVG Parser, as described in the vendor's advisory. This defect corresponds to CWE‑119 and CWE‑787 and can corrupt memory, potentially causing application crashes or other unintended behavior. Key detail from vendor description: "The manipulation leads to out-of-bounds write." The damage is limited to the process that processes the SVG file; it does not grant arbitrary code execution by itself but may enable denial of service or a foothold for further attacks.

Affected Systems

Affecting the GPAC library, specifically the 26.03‑DEV release as mentioned in the advisory. No additional sub‑version details are listed beyond the commit that patches the issue. The product is identified by the CPE cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*.

Risk and Exploitability

The CVSS base score is 4.8, indicating moderate severity. The EPSS score is less than 1%, suggesting a low probability of exploitation at this time, and the vulnerability is not currently listed in the CISA KEV catalog. Attack requires local access to execute a crafted SVG file in the context of GPAC. The official patch commit 7618d7206cdeb3c28961dc97ab0ecabaff0c8af2 demonstrates that exploitation is possible but limited to privilege level of the local user.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

GPAC

affected

Version	Status	Constraints
`26.03-DEV`	affected	—

No data.

Vendor Product Confidence Versions

Gpac

90%

Version	Status	Scheme	Platform
`26.03-DEV`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the patch commit 7618d7206cdeb3c28961dc97ab0ecabaff0c8af2 from the GPAC GitHub repository or update to a GPAC release that includes this commit.

Generated by OpenCVE AI on March 18, 2026 at 15:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/gpac/gpac/
https://github.com/gpac/gpac/commit/7618d7206cdeb3c28961dc97ab0ecabaff0c8af2
https://github.com/gpac/gpac/issues/3468
https://github.com/user-attachments/files/25494042/poc_dims_oob.py
https://vuldb.com/?ctiid.350538
https://vuldb.com/?id.350538
https://vuldb.com/?submit.769798

History

Thu, 12 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 12 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this vulnerability is the function svgin_process of the file src/filters/load_svg.c of the component SVG Parser. The manipulation leads to out-of-bounds write. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The identifier of the patch is 7618d7206cdeb3c28961dc97ab0ecabaff0c8af2. It is suggested to install a patch to address this issue.
Title		GPAC SVG Parser load_svg.c svgin_process out-of-bounds write
First Time appeared		Gpac Gpac gpac
Weaknesses		CWE-119 CWE-787
CPEs		cpe:2.3:a:gpac:gpac::::::::
Vendors & Products		Gpac Gpac gpac
References		https://github.com/gpac/gpac/ https://github.com/gpac/gpac/commit/7618d7206cdeb3c28961dc97ab0ecabaff0c8af2 https://github.com/gpac/gpac/issues/3468 https://github.com/user-attachments/files/25494042/poc_dims_oob.py https://vuldb.com/?ctiid.350538 https://vuldb.com/?id.350538 https://vuldb.com/?submit.769798
Metrics		cvssV2_0 `{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Gpac Gpac

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-12T08:32:13.134Z

Updated: 2026-03-12T13:24:13.403Z

Reserved: 2026-03-11T19:19:43.566Z

Link: CVE-2026-4016

Vulnrichment

Updated: 2026-03-12T13:24:07.324Z

NVD

Status : Deferred

Published: 2026-03-12T09:15:58.797

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-4016

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-20T15:49:56Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object