CVE-2026-1417
BaseFortify
Publication date: 2026-01-26
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | gpac | to 2.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1417 is a NULL pointer dereference vulnerability in the GPAC multimedia framework up to version 2.4.0. It occurs in the function dump_isom_rtp() when processing a specially crafted MP4 file containing a hint track that lacks SDP (Session Description Protocol) information. The vulnerability arises because the code passes a NULL pointer to fprintf() using the %s format specifier without checking if the pointer is NULL. This can cause undefined behavior such as a crash or denial of service, especially on platforms where passing NULL to %s is not handled gracefully. [1, 3]
How can this vulnerability impact me? :
This vulnerability can cause the GPAC application to crash or exit unexpectedly when processing maliciously crafted MP4 files, leading to a denial of service and impacting the availability of the software. The attack requires local access to the system to open the malicious file. On some platforms like Linux with glibc, the issue may result in incorrect output rather than a crash, but on others such as Windows, it can cause a crash. The exploit is publicly available, making it easier for attackers to leverage this issue. [1, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to process a specially crafted MP4 file containing a hint track without SDP information using the vulnerable GPAC version (up to 2.4.0). A proof-of-concept involves running the command `MP4Box -drtp poc_null_sdp.mp4` where `poc_null_sdp.mp4` is a malicious MP4 file crafted to trigger the NULL pointer dereference. If the output contains `<SDPInfo>(null)</SDPInfo>`, it indicates the vulnerability is present. This detection requires local execution and testing with crafted files. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch identified by commit f96bd57c3ccdcde4335a0be28cd3e8fe296993de, which adds proper NULL checks before printing SDP information in the `dump_isom_rtp` function. This patch prevents the NULL pointer dereference by verifying that the SDP pointer and size are valid before use. Until patched, avoid processing untrusted or crafted MP4 files locally with vulnerable GPAC versions to reduce risk. [2, 4]