CVE-2026-4016
Received Received - Intake
Out-of-Bounds Write in GPAC SVG Parser via svgin_process

Publication date: 2026-03-12

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this vulnerability is the function svgin_process of the file src/filters/load_svg.c of the component SVG Parser. The manipulation leads to out-of-bounds write. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The identifier of the patch is 7618d7206cdeb3c28961dc97ab0ecabaff0c8af2. It is suggested to install a patch to address this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-04-29
Generated
2026-06-17
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4016
EUVD
EUVD-2026-11551
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpac gpac 26.03-dev
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-4016 is a heap buffer overflow vulnerability in the GPAC multimedia player, specifically in the SVG Parser component's function svgin_process located in src/filters/load_svg.c. The issue arises because an inner size value read from a bitstream overwrites the original packet size used for memory allocation, leading to out-of-bounds read and write operations on a buffer."}, {'type': 'paragraph', 'content': 'This happens when the code reads a 16-bit unsigned integer from the bitstream that is attacker-controlled and much larger than the allocated buffer size. The code then accesses memory beyond the allocated buffer without proper boundary checks, causing heap corruption.'}, {'type': 'paragraph', 'content': 'The vulnerability requires local access to exploit and can cause crashes or potentially allow arbitrary code execution. A patch was released that adds proper boundary checks and preserves the original packet size to prevent out-of-bounds access.'}] [1, 2, 3, 4, 5]

Impact Analysis

This vulnerability can impact you by causing memory corruption through out-of-bounds read and write operations, which can lead to Denial of Service (DoS) by crashing the GPAC multimedia player.

More severely, it may allow an attacker with local access to execute arbitrary code, compromising the confidentiality, integrity, and availability of the affected system.

Since the exploit requires local access, remote exploitation is not possible, but local users or malicious software could leverage this flaw to escalate privileges or disrupt system operations.

Applying the provided patch is strongly recommended to mitigate these risks.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by testing the GPAC multimedia player with a specially crafted MP4 file that triggers the heap buffer overflow in the svgin_process function. A proof-of-concept (PoC) file named poc_dims_oob.mp4 is available which causes GPAC to crash when processed.

Suggested commands to detect the vulnerability include running GPAC with the PoC file to observe if it crashes or behaves unexpectedly:

  • gpac -i poc_dims_oob.mp4 svgplay compositor vout
  • gpac -i poc_dims_oob.mp4 -o /dev/null
  • gpac -i poc_dims_oob.mp4 inspect

These commands load the crafted MP4 file and will trigger the vulnerability if the system is affected, causing a crash or denial of service.

Mitigation Strategies

The immediate mitigation step is to apply the official patch provided by the GPAC project that fixes the buffer overflow in the svgin_process function.

The patch, identified by commit 7618d7206cdeb3c28961dc97ab0ecabaff0c8af2, introduces proper boundary checks and corrects memory allocation to prevent out-of-bounds writes.

Until the patch is applied, avoid processing untrusted or specially crafted SVG or MP4 files that could exploit this vulnerability.

Ensure that only trusted users have local access to the system, as the vulnerability requires local access to be exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4016. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart