Description
A security vulnerability has been detected in GPAC up to 2.4.0. Affected by this issue is the function Media_GetSample of the file src/isomedia/media.c of the component MP4Box. Such manipulation of the argument cat leads to memory leak. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The name of the patch is e79c5cbe8b3fed27f4854ec229457d30c96206f1. It is best practice to apply a patch to resolve this issue.
Published: 2026-05-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Media_GetSample function within GPAC’s MP4Box component. Improper handling of the cat argument triggers a memory leak, leading to gradual loss of available memory. While the leak does not directly grant code execution or compromise confidentiality, repeated exploitation can degrade system performance or cause service disruptions when memory resources are exhausted.

Affected Systems

GPAC, version 2.4.0 and earlier, specifically the MP4Box tool. The issue is contained within the media.c source file and affects all builds that include this component. No specific sub‑component or operating system variant is singled out.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. Exploitation requires local access to the target system; there is no known remote attack vector. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting a low to moderate likelihood of widespread exploitation. However, repeated local attacks could still deplete memory over time, potentially affecting availability of the host or co‑executing processes.

Generated by OpenCVE AI on May 26, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch identified by commit e79c5cbe8b3fed27f4854ec229457d30c96206f1 to the GPAC source code.
  • Upgrade GPAC to a version newer than 2.4.0 if a patch is not immediately available.
  • Limit local access to the MP4Box executable or run it inside a container or virtual machine to contain the impact of a potential memory leak.

Generated by OpenCVE AI on May 26, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in GPAC up to 2.4.0. Affected by this issue is the function Media_GetSample of the file src/isomedia/media.c of the component MP4Box. Such manipulation of the argument cat leads to memory leak. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The name of the patch is e79c5cbe8b3fed27f4854ec229457d30c96206f1. It is best practice to apply a patch to resolve this issue.
Title GPAC MP4Box media.c Media_GetSample memory leak
First Time appeared Gpac
Gpac gpac
Weaknesses CWE-401
CWE-404
CPEs cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*
Vendors & Products Gpac
Gpac gpac
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Gpac Gpac
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-28T13:45:34.959Z

Reserved: 2026-05-26T12:36:48.590Z

Link: CVE-2026-9572

cve-icon Vulnrichment

Updated: 2026-05-28T13:44:26.495Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T19:16:34.890

Modified: 2026-05-28T14:32:47.800

Link: CVE-2026-9572

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T21:15:16Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-404

    Improper Resource Shutdown or Release