CVE-2026-27821
Received Received - Intake
Stack Buffer Overflow in GPAC NHML File Parser

Publication date: 2026-02-26

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
GPAC is an open-source multimedia framework. In versions up to and including 26.02.0, a stack buffer overflow occurs during NHML file parsing in `src/filters/dmx_nhml.c`. The value of the xmlHeaderEnd XML attribute is copied from att->value into szXmlHeaderEnd[1000] using strcpy() without any length validation. If the input exceeds 1000 bytes, it overwrites beyond the stack buffer boundary. Commit 9bd7137fded2db40de61a2cf3045812c8741ec52 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27821
EUVD
EUVD-2026-8784
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpac gpac to 26.02.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27821 is a stack-based buffer overflow vulnerability in the GPAC multimedia framework, specifically in the NHML demuxer component within the file src/filters/dmx_nhml.c.

The issue occurs because the value of the xmlHeaderEnd XML attribute is copied into a fixed-size stack buffer of 1000 bytes using strcpy() without any length validation. If the input exceeds 1000 bytes, it overwrites memory beyond the buffer boundary, causing a stack buffer overflow.

This vulnerability arises from improper handling of XML attribute values during NHML file parsing, leading to potential memory corruption.

Impact Analysis

The impact of this vulnerability depends on the presence of stack canary protection in the environment where GPAC is running.

  • If stack canary protection is enabled, the overflow triggers a denial-of-service (DoS) by causing the process to abort.
  • If stack canary protection is disabled, an attacker can gain control over the instruction pointer (RIP), potentially allowing arbitrary code execution.
Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by identifying if your system is running a vulnerable version of the GPAC multimedia framework (versions up to and including 26.02.0) that includes the NHML demuxer component with the unsafe strcpy usage in src/filters/dmx_nhml.c.

Detection can involve checking the GPAC version installed and verifying if the patch from commit 9bd7137fded2db40de61a2cf3045812c8741ec52 has been applied.

You can use commands like the following to check the installed GPAC version:

  • gpac -v

To check if the vulnerable source file contains the unsafe strcpy call, you can search for it in the source code if you have it locally:

  • grep -n strcpy src/filters/dmx_nhml.c

Additionally, monitoring for crashes or abnormal process aborts of GPAC when parsing NHML files could indicate exploitation attempts, especially if stack canary protection is enabled.

Mitigation Strategies

The immediate mitigation step is to update GPAC to a version that includes the patch for this vulnerability, specifically versions after 26.02.0 where commit 9bd7137fded2db40de61a2cf3045812c8741ec52 has been applied.

If updating is not immediately possible, avoid processing untrusted NHML files or any files that could contain maliciously crafted xmlHeaderEnd attributes.

Additionally, enabling stack canary and other memory protection mechanisms in your environment can help mitigate the impact by causing process aborts instead of arbitrary code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27821. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart