CVE-2026-1415
BaseFortify
Publication date: 2026-01-26
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | gpac | to 2.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1415 is a NULL pointer dereference vulnerability in the GPAC multimedia framework, specifically in the function gf_media_export_webvtt_metadata. The issue occurs when processing a crafted MP4 file containing a track whose handler box lacks a name field, causing the handler pointer to be NULL. This NULL pointer is then passed to a printing function expecting a valid string, leading to undefined behavior such as incorrect metadata output or a crash depending on the platform. [1, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by causing the GPAC software to crash or exit unexpectedly when processing maliciously crafted MP4 files locally. On some platforms like Windows, this leads to a denial of service due to the crash, while on others like Linux with glibc, it results in incorrect metadata output. The attack requires local access and the exploit is publicly available, making it easier to exploit. The impact primarily affects software availability. [1, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system processes specially crafted MP4 files with tracks whose handler box ('hdlr') lacks a name field, which causes a NULL pointer dereference in the function gf_media_export_webvtt_metadata(). A practical detection method is to use the provided proof-of-concept (PoC) MP4 file and run the command: MP4Box -webvtt-raw 1 poc_null_handler.mp4. If the output WebVTT metadata file contains the line 'label: (null)', it indicates the vulnerability is present. This command tests the vulnerable function's behavior by triggering the NULL pointer dereference scenario. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to apply the patch identified by commit af951b892dfbaaa38336ba2eba6d6a42c25810fd, which adds necessary NULL pointer checks before printing handler and language information in the gf_media_export_webvtt_metadata() function. This patch prevents the NULL pointer dereference and ensures robustness when processing MP4 files with missing handler names. Until the patch is applied, avoid processing untrusted or specially crafted MP4 files locally with GPAC versions up to 2.4.0. [2, 3]