CVE-2026-33144
Heap-Based Buffer Overflow in GPAC MP4Box via Malicious NHML
Publication date: 2026-03-20
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | gpac | to 2026-03-17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33144 is a heap-based buffer overflow vulnerability in the GPAC MP4Box component. It occurs in the function gf_xml_parse_bit_sequence_bs when processing specially crafted NHML files containing malicious <BS> (BitSequence) elements. The vulnerability arises because the function does not properly validate the bits attribute, allowing an attacker to specify an excessively large value that causes an out-of-bounds write on the heap.
Specifically, when the bits attribute exceeds the maximum supported bit width (greater than 64), a shift exponent overflow happens, leading to writing beyond the allocated buffer size by one byte. This can cause application crashes or potentially allow arbitrary code execution depending on the heap layout.
The issue was fixed by adding validation to ensure the bits attribute does not exceed 64 and by improving error handling to prevent processing malformed data.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause a denial of service through application crashes when processing malicious NHML files.
More severely, depending on the heap layout and allocator behavior, it may allow an attacker to execute arbitrary code, compromising the confidentiality, integrity, and availability of the affected system.
Exploitation requires local access and user interaction but no special privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running GPAC MP4Box with a specially crafted NHML file containing malicious <BS> elements that trigger the heap-based buffer overflow. Using debugging tools such as AddressSanitizer (ASan) and UndefinedBehaviorSanitizer (UBSan) while running MP4Box with such crafted input can help detect the out-of-bounds write.
A proof of concept involves building GPAC with sanitizers enabled and executing a command similar to: mp4box -add fuzz_dims.nhml output.mp4, where fuzz_dims.nhml is a crafted NHML file designed to trigger the vulnerability.
No specific network detection commands are provided, as the attack vector is local and requires user interaction with crafted NHML files.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update GPAC to a version that includes the patch applied in commit 86b0e36ea4c71402fbdaf7e13d73ba8841003e72, which adds strict validation of the bits attribute to ensure it does not exceed 64 and validates the length of hexadecimal data.
If updating is not immediately possible, avoid processing untrusted or crafted NHML files containing <BS> elements with MP4Box, as these can trigger the vulnerability.
The patch also improves error handling by aborting processing when invalid bit lengths or malformed hex data are detected, preventing exploitation.