CVE-2026-4016
Out-of-Bounds Write in GPAC SVG Parser via svgin_process
Publication date: 2026-03-12
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | gpac | 26.03-dev |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-4016 is a heap buffer overflow vulnerability in the GPAC multimedia player, specifically in the SVG Parser component's function svgin_process located in src/filters/load_svg.c. The issue arises because an inner size value read from a bitstream overwrites the original packet size used for memory allocation, leading to out-of-bounds read and write operations on a buffer."}, {'type': 'paragraph', 'content': 'This happens when the code reads a 16-bit unsigned integer from the bitstream that is attacker-controlled and much larger than the allocated buffer size. The code then accesses memory beyond the allocated buffer without proper boundary checks, causing heap corruption.'}, {'type': 'paragraph', 'content': 'The vulnerability requires local access to exploit and can cause crashes or potentially allow arbitrary code execution. A patch was released that adds proper boundary checks and preserves the original packet size to prevent out-of-bounds access.'}] [1, 2, 3, 4, 5]
How can this vulnerability impact me? :
This vulnerability can impact you by causing memory corruption through out-of-bounds read and write operations, which can lead to Denial of Service (DoS) by crashing the GPAC multimedia player.
More severely, it may allow an attacker with local access to execute arbitrary code, compromising the confidentiality, integrity, and availability of the affected system.
Since the exploit requires local access, remote exploitation is not possible, but local users or malicious software could leverage this flaw to escalate privileges or disrupt system operations.
Applying the provided patch is strongly recommended to mitigate these risks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the GPAC multimedia player with a specially crafted MP4 file that triggers the heap buffer overflow in the svgin_process function. A proof-of-concept (PoC) file named poc_dims_oob.mp4 is available which causes GPAC to crash when processed.
Suggested commands to detect the vulnerability include running GPAC with the PoC file to observe if it crashes or behaves unexpectedly:
- gpac -i poc_dims_oob.mp4 svgplay compositor vout
- gpac -i poc_dims_oob.mp4 -o /dev/null
- gpac -i poc_dims_oob.mp4 inspect
These commands load the crafted MP4 file and will trigger the vulnerability if the system is affected, causing a crash or denial of service.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the official patch provided by the GPAC project that fixes the buffer overflow in the svgin_process function.
The patch, identified by commit 7618d7206cdeb3c28961dc97ab0ecabaff0c8af2, introduces proper boundary checks and corrects memory allocation to prevent out-of-bounds writes.
Until the patch is applied, avoid processing untrusted or specially crafted SVG or MP4 files that could exploit this vulnerability.
Ensure that only trusted users have local access to the system, as the vulnerability requires local access to be exploited.