CVE-2026-27821
Stack Buffer Overflow in GPAC NHML File Parser
Publication date: 2026-02-26
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | gpac | to 26.02.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27821 is a stack-based buffer overflow vulnerability in the GPAC multimedia framework, specifically in the NHML demuxer component within the file src/filters/dmx_nhml.c.
The issue occurs because the value of the xmlHeaderEnd XML attribute is copied into a fixed-size stack buffer of 1000 bytes using strcpy() without any length validation. If the input exceeds 1000 bytes, it overwrites memory beyond the buffer boundary, causing a stack buffer overflow.
This vulnerability arises from improper handling of XML attribute values during NHML file parsing, leading to potential memory corruption.
How can this vulnerability impact me? :
The impact of this vulnerability depends on the presence of stack canary protection in the environment where GPAC is running.
- If stack canary protection is enabled, the overflow triggers a denial-of-service (DoS) by causing the process to abort.
- If stack canary protection is disabled, an attacker can gain control over the instruction pointer (RIP), potentially allowing arbitrary code execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your system is running a vulnerable version of the GPAC multimedia framework (versions up to and including 26.02.0) that includes the NHML demuxer component with the unsafe strcpy usage in src/filters/dmx_nhml.c.
Detection can involve checking the GPAC version installed and verifying if the patch from commit 9bd7137fded2db40de61a2cf3045812c8741ec52 has been applied.
You can use commands like the following to check the installed GPAC version:
- gpac -v
To check if the vulnerable source file contains the unsafe strcpy call, you can search for it in the source code if you have it locally:
- grep -n strcpy src/filters/dmx_nhml.c
Additionally, monitoring for crashes or abnormal process aborts of GPAC when parsing NHML files could indicate exploitation attempts, especially if stack canary protection is enabled.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update GPAC to a version that includes the patch for this vulnerability, specifically versions after 26.02.0 where commit 9bd7137fded2db40de61a2cf3045812c8741ec52 has been applied.
If updating is not immediately possible, avoid processing untrusted NHML files or any files that could contain maliciously crafted xmlHeaderEnd attributes.
Additionally, enabling stack canary and other memory protection mechanisms in your environment can help mitigate the impact by causing process aborts instead of arbitrary code execution.