CVE-2026-1417
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in GPAC up to 2.4.0. Affected by this issue is the function dump_isom_rtp of the file applications/mp4box/filedump.c. This manipulation causes null pointer dereference. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: f96bd57c3ccdcde4335a0be28cd3e8fe296993de. Applying a patch is the recommended action to fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1417
EUVD
EUVD-2026-4697
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpac gpac to 2.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1417 is a NULL pointer dereference vulnerability in the GPAC multimedia framework up to version 2.4.0. It occurs in the function dump_isom_rtp() when processing a specially crafted MP4 file containing a hint track that lacks SDP (Session Description Protocol) information. The vulnerability arises because the code passes a NULL pointer to fprintf() using the %s format specifier without checking if the pointer is NULL. This can cause undefined behavior such as a crash or denial of service, especially on platforms where passing NULL to %s is not handled gracefully. [1, 3]

Impact Analysis

This vulnerability can cause the GPAC application to crash or exit unexpectedly when processing maliciously crafted MP4 files, leading to a denial of service and impacting the availability of the software. The attack requires local access to the system to open the malicious file. On some platforms like Linux with glibc, the issue may result in incorrect output rather than a crash, but on others such as Windows, it can cause a crash. The exploit is publicly available, making it easier for attackers to leverage this issue. [1, 3, 4]

Detection Guidance

This vulnerability can be detected by attempting to process a specially crafted MP4 file containing a hint track without SDP information using the vulnerable GPAC version (up to 2.4.0). A proof-of-concept involves running the command `MP4Box -drtp poc_null_sdp.mp4` where `poc_null_sdp.mp4` is a malicious MP4 file crafted to trigger the NULL pointer dereference. If the output contains `<SDPInfo>(null)</SDPInfo>`, it indicates the vulnerability is present. This detection requires local execution and testing with crafted files. [3]

Mitigation Strategies

The immediate mitigation step is to apply the patch identified by commit f96bd57c3ccdcde4335a0be28cd3e8fe296993de, which adds proper NULL checks before printing SDP information in the `dump_isom_rtp` function. This patch prevents the NULL pointer dereference by verifying that the SDP pointer and size are valid before use. Until patched, avoid processing untrusted or crafted MP4 files locally with vulnerable GPAC versions to reduce risk. [2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1417. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart