CVE-2026-4015
Stack-Based Buffer Overflow in GPAC TeXML File Parser
Publication date: 2026-03-12
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | gpac | 26.03-dev |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4015 is a stack-based buffer overflow vulnerability in the GPAC multimedia framework version 26.03-DEV. It occurs in the function txtin_process_texml within the file src/filters/load_text.c, specifically in the TeXML File Parser component.
The vulnerability arises because fixed-size stack arrays (such as GF_StyleRecord styles[50] and Marker marks[50]) are accessed without proper bounds checking. When a crafted TeXML file contains more than 50 <sharedStyles> blocks or marker blocks, the counters tracking these blocks (nb_styles and nb_marks) exceed the array limits, causing out-of-bounds writes and a stack buffer overflow.
This overflow can be triggered locally by processing a malicious TeXML file, potentially leading to Denial of Service (DoS) or arbitrary code execution. The issue has been fixed by adding boundary checks to prevent writing beyond the allocated array sizes.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with local access to cause a stack-based buffer overflow in the GPAC software when processing a specially crafted TeXML file.
The consequences of exploitation include Denial of Service (crashing the application) or potentially arbitrary code execution, which could compromise the confidentiality, integrity, and availability of the affected system.
Since the exploit is publicly available and relatively straightforward to execute, it poses a moderate security risk if the vulnerable GPAC version is used without applying the patch.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the stack buffer overflow using a specially crafted TeXML file containing more than 50 <sharedStyles> blocks. A proof-of-concept file named poc_texml_overflow.xml can be used to trigger the overflow.
The vulnerability can be tested by running the following command which uses the GPAC tool MP4Box to add the crafted TeXML file:
- MP4Box -add poc_texml_overflow.xml:ext=texml -new /tmp/test.mp4
If the system is vulnerable, this command triggers a stack buffer overflow, which can be detected by monitoring for crashes or using debugging tools such as AddressSanitizer (ASAN) to observe memory errors.
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended step to mitigate this vulnerability is to apply the official patch identified by commit d29f6f1ada5cc284cdfa783b6f532c7d8bd049a5 available in the GPAC GitHub repository.
This patch adds boundary checks to the arrays used in the vulnerable function to prevent buffer overflow by ensuring the counters for style and marker blocks do not exceed their fixed sizes.
Until the patch is applied, avoid processing untrusted or specially crafted TeXML files that contain more than 50 <sharedStyles> or marker blocks, as these can trigger the overflow.