3.3

CVE-2026-9567

Exploit

GPAC MP4Box isom_intern.c MergeFragment null pointer dereference

A security flaw has been discovered in GPAC up to 2.4.0. Affected is the function MergeFragment of the file src/isomedia/isom_intern.c of the component MP4Box. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is identified as 525bf1af642c30af04e4df5345e6d798c0a4d8a1. It is advisable to implement a patch to correct this issue.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellern/a
Produkt GPAC
Version 2.0
Status affected
Version 2.1
Status affected
Version 2.2
Status affected
Version 2.3
Status affected
Version 2.4.0
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.018
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
cna@vuldb.com 3.3 1.8 1.4
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
cna@vuldb.com 1.9 0 0
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com 1.7 3.1 2.9
AV:L/AC:L/Au:S/C:N/I:N/A:P
CWE-404 Improper Resource Shutdown or Release

The product does not release or incorrectly releases a resource before it is made available for re-use.

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://github.com/gpac/gpac/
https://vuldb.com/vuln/365629
https://vuldb.com/vuln/365629/cti
https://vuldb.com/submit/816075
https://github.com/gpac/gpac/issues/3549
https://github.com/user-attachments/files/27196918/poc.zip
https://github.com/makesoftwaresafe/gpac/commit/525bf1af642c30af04e4df5345e6d798c0a4d8a1