CVE-2026-1416
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in GPAC up to 2.4.0. Affected by this vulnerability is the function DumpMovieInfo of the file applications/mp4box/filedump.c. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as d45c264c20addf0c1cc05124ede33f8ffa800e68. It is advisable to implement a patch to correct this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1416
EUVD
EUVD-2026-4696
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpac gpac to 2.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1416 is a null pointer dereference vulnerability in the DumpMovieInfo() function of the GPAC multimedia framework (up to version 2.4.0). It occurs when processing a specially crafted MP4 file containing a chapter track with an empty text sample (text_length = 0). In this case, the pointer txt->text remains NULL because memory is only allocated if the sample length is greater than zero. However, DumpMovieInfo() does not check if txt->text is NULL before passing it to fprintf() with the %s format specifier, leading to undefined behavior. On Linux systems with glibc, this results in printing "(null)" without crashing, but on other platforms like Windows, it causes a crash due to dereferencing a NULL pointer. The vulnerability requires local access to exploit and has a public proof-of-concept available. [1, 2, 4]

Impact Analysis

This vulnerability can cause the GPAC application to crash or behave unpredictably when processing maliciously crafted MP4 files with empty text samples in chapter tracks. This impacts the availability of the application, potentially leading to denial of service. Since the attack requires local access, an attacker must have the ability to run or open files locally to exploit it. The severity is considered low to medium, but it can disrupt normal multimedia processing and cause application instability. [1, 2, 4]

Detection Guidance

This vulnerability can be detected by attempting to process a specially crafted MP4 file containing a chapter track with an empty text sample using the GPAC tool MP4Box. Running the command `MP4Box -info <crafted_file.mp4>` triggers the vulnerability if present, as it will cause a null pointer dereference in the DumpMovieInfo function. A proof-of-concept malicious MP4 file and a Python script to generate it are publicly available. Monitoring for crashes or unexpected behavior when processing MP4 files locally with MP4Box can also indicate the presence of the vulnerability. [1, 4]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to apply the patch identified by commit d45c264c20addf0c1cc05124ede33f8ffa800e68, which adds a null pointer check before passing txt->text to fprintf in the DumpMovieInfo function. Until the patch is applied, avoid processing untrusted or crafted MP4 files locally with GPAC's MP4Box tool. Applying the patch prevents crashes and undefined behavior caused by the null pointer dereference. [3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1416. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart