Description
A security flaw has been discovered in GPAC up to 2.4.0. Affected is the function MergeFragment of the file src/isomedia/isom_intern.c of the component MP4Box. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is identified as 525bf1af642c30af04e4df5345e6d798c0a4d8a1. It is advisable to implement a patch to correct this issue.
Published: 2026-05-26
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a null pointer dereference in the MergeFragment function of GPAC's MP4Box component. Feeding a specially crafted isomedia file causes the code to dereference a null pointer and crash. A local attacker can force the crash by controlling the input, resulting in denial of service.

Affected Systems

GPAC versions up to and including 2.4.0 are affected. The flaw resides in src/isomedia/isom_intern.c used by MP4Box, so any installation of GPAC in this version range on any platform is susceptible.

Risk and Exploitability

The CVSS base score of 4.8 indicates moderate severity. The attack requires local file access, so remote exploitation is not possible. EPSS is not available and the vulnerability is not listed in the KEV catalog, but a public exploit has been released. Processing a malicious file will cause the application to crash; applying the official patch resolved by commit 525bf1af642c30af04e4df5345e6d798c0a4d8a1 eliminates the issue.

Generated by OpenCVE AI on May 26, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by updating GPAC to a version that includes commit 525bf1af642c30af04e4df5345e6d798c0a4d8a1 or newer.
  • If a patch cannot be applied immediately, restrict execution of MP4Box to trusted users and allow only verified media files to be processed.
  • Validate or sanitize input files before they reach the MergeFragment function to prevent malformed data from triggering a null dereference.

Generated by OpenCVE AI on May 26, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in GPAC up to 2.4.0. Affected is the function MergeFragment of the file src/isomedia/isom_intern.c of the component MP4Box. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is identified as 525bf1af642c30af04e4df5345e6d798c0a4d8a1. It is advisable to implement a patch to correct this issue.
Title GPAC MP4Box isom_intern.c MergeFragment null pointer dereference
First Time appeared Gpac
Gpac gpac
Weaknesses CWE-404
CWE-476
CPEs cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*
Vendors & Products Gpac
Gpac gpac
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Gpac Gpac
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-26T18:23:16.064Z

Reserved: 2026-05-26T10:52:27.927Z

Link: CVE-2026-9567

cve-icon Vulnrichment

Updated: 2026-05-26T18:23:09.559Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T18:16:58.883

Modified: 2026-05-26T19:37:00.120

Link: CVE-2026-9567

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T20:15:14Z

Weaknesses