CVE-2026-33144
Received Received - Intake
Heap-Based Buffer Overflow in GPAC MP4Box via Malicious NHML

Publication date: 2026-03-20

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33144
EUVD
EUVD-2026-13782
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpac gpac to 2026-03-17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33144 is a heap-based buffer overflow vulnerability in the GPAC MP4Box component. It occurs in the function gf_xml_parse_bit_sequence_bs when processing specially crafted NHML files containing malicious <BS> (BitSequence) elements. The vulnerability arises because the function does not properly validate the bits attribute, allowing an attacker to specify an excessively large value that causes an out-of-bounds write on the heap.

Specifically, when the bits attribute exceeds the maximum supported bit width (greater than 64), a shift exponent overflow happens, leading to writing beyond the allocated buffer size by one byte. This can cause application crashes or potentially allow arbitrary code execution depending on the heap layout.

The issue was fixed by adding validation to ensure the bits attribute does not exceed 64 and by improving error handling to prevent processing malformed data.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial of service through application crashes when processing malicious NHML files.

More severely, depending on the heap layout and allocator behavior, it may allow an attacker to execute arbitrary code, compromising the confidentiality, integrity, and availability of the affected system.

Exploitation requires local access and user interaction but no special privileges.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by running GPAC MP4Box with a specially crafted NHML file containing malicious <BS> elements that trigger the heap-based buffer overflow. Using debugging tools such as AddressSanitizer (ASan) and UndefinedBehaviorSanitizer (UBSan) while running MP4Box with such crafted input can help detect the out-of-bounds write.

A proof of concept involves building GPAC with sanitizers enabled and executing a command similar to: mp4box -add fuzz_dims.nhml output.mp4, where fuzz_dims.nhml is a crafted NHML file designed to trigger the vulnerability.

No specific network detection commands are provided, as the attack vector is local and requires user interaction with crafted NHML files.

Mitigation Strategies

The immediate mitigation step is to update GPAC to a version that includes the patch applied in commit 86b0e36ea4c71402fbdaf7e13d73ba8841003e72, which adds strict validation of the bits attribute to ensure it does not exceed 64 and validates the length of hexadecimal data.

If updating is not immediately possible, avoid processing untrusted or crafted NHML files containing <BS> elements with MP4Box, as these can trigger the vulnerability.

The patch also improves error handling by aborting processing when invalid bit lengths or malformed hex data are detected, preventing exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33144. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart