CVE-2026-1416
BaseFortify
Publication date: 2026-01-26
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | gpac | to 2.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1416 is a null pointer dereference vulnerability in the DumpMovieInfo() function of the GPAC multimedia framework (up to version 2.4.0). It occurs when processing a specially crafted MP4 file containing a chapter track with an empty text sample (text_length = 0). In this case, the pointer txt->text remains NULL because memory is only allocated if the sample length is greater than zero. However, DumpMovieInfo() does not check if txt->text is NULL before passing it to fprintf() with the %s format specifier, leading to undefined behavior. On Linux systems with glibc, this results in printing "(null)" without crashing, but on other platforms like Windows, it causes a crash due to dereferencing a NULL pointer. The vulnerability requires local access to exploit and has a public proof-of-concept available. [1, 2, 4]
How can this vulnerability impact me? :
This vulnerability can cause the GPAC application to crash or behave unpredictably when processing maliciously crafted MP4 files with empty text samples in chapter tracks. This impacts the availability of the application, potentially leading to denial of service. Since the attack requires local access, an attacker must have the ability to run or open files locally to exploit it. The severity is considered low to medium, but it can disrupt normal multimedia processing and cause application instability. [1, 2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to process a specially crafted MP4 file containing a chapter track with an empty text sample using the GPAC tool MP4Box. Running the command `MP4Box -info <crafted_file.mp4>` triggers the vulnerability if present, as it will cause a null pointer dereference in the DumpMovieInfo function. A proof-of-concept malicious MP4 file and a Python script to generate it are publicly available. Monitoring for crashes or unexpected behavior when processing MP4 files locally with MP4Box can also indicate the presence of the vulnerability. [1, 4]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to apply the patch identified by commit d45c264c20addf0c1cc05124ede33f8ffa800e68, which adds a null pointer check before passing txt->text to fprintf in the DumpMovieInfo function. Until the patch is applied, avoid processing untrusted or crafted MP4 files locally with GPAC's MP4Box tool. Applying the patch prevents crashes and undefined behavior caused by the null pointer dereference. [3, 4]