Description
A vulnerability was found in GPAC up to 2.5-DEV-rev2167-gcc9d617c0-master. This vulnerability affects the function swf_def_bits_jpeg of the file src/scene_manager/swf_parse.c of the component MP4Box. The manipulation of the argument szName results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. The patch is identified as 8961c74f87ae3fe2d3352e622f7730ca96d50cf1. A patch should be applied to remediate this issue.
Published: 2026-03-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A stack‑based buffer overflow exists in the GPAC MP4Box component within the function swf_def_bits_jpeg located in src/scene_manager/swf_parse.c. The overflow is triggered by malicious manipulation of the szName argument supplied when parsing a SWF file, allowing corruption of the call stack. If successfully exploited, the flaw can lead to remote code execution or a denial‑of‑service condition, and the CVE description confirms that the attack can be launched remotely and that a proof‑of‑concept exploit is publicly available. The weakness falls under the CWE categories 119 and 121.

Affected Systems

The vulnerability affects GPAC versions up to and including 2.5-DEV-rev2167-gcc9d617c0-master. All releases prior to the commit 8961c74f87ae3fe2d3352e622f7730ca96d50cf1 contain the flaw. The affected product is listed in the CPE string cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*, and any deployment that processes SWF files with MP4Box is potentially impacted.

Risk and Exploitability

The CVSS base score of 5.3 indicates a medium severity, but the EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to feed a crafted SWF file to the vulnerable parser, which can be performed remotely via any interface that accepts SWF input. Attackers who succeed can execute arbitrary code or cause a crash, but the low EPSS indicates that active attacks are currently rare. Awareness of this flaw and monitoring for exploit activity remains advisable.

Generated by OpenCVE AI on March 17, 2026 at 17:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the GPAC patch identified by commit 8961c74f87ae3fe2d3352e622f7730ca96d50cf1 or upgrade to a release that includes this fix.
  • If an immediate upgrade is not feasible, disable the SWF file parsing functionality in MP4Box or ensure it runs in a restricted sandbox.
  • Regularly check the GPAC project repository or vendor advisories for additional updates or acknowledgments of this vulnerability.

Generated by OpenCVE AI on March 17, 2026 at 17:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 15 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in GPAC up to 2.5-DEV-rev2167-gcc9d617c0-master. This vulnerability affects the function swf_def_bits_jpeg of the file src/scene_manager/swf_parse.c of the component MP4Box. The manipulation of the argument szName results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. The patch is identified as 8961c74f87ae3fe2d3352e622f7730ca96d50cf1. A patch should be applied to remediate this issue.
Title GPAC MP4Box swf_parse.c swf_def_bits_jpeg stack-based overflow
First Time appeared Gpac
Gpac gpac
Weaknesses CWE-119
CWE-121
CPEs cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*
Vendors & Products Gpac
Gpac gpac
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Gpac Gpac
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-17T15:18:42.115Z

Reserved: 2026-03-14T22:01:16.865Z

Link: CVE-2026-4185

cve-icon Vulnrichment

Updated: 2026-03-17T15:18:37.233Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:19:59.700

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-4185

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:35Z

Weaknesses