CVE-2026-4185
Awaiting Analysis Awaiting Analysis - Queue
Stack-Based Buffer Overflow in GPAC MP4Box Enables Remote Attack

Publication date: 2026-03-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in GPAC up to 2.5-DEV-rev2167-gcc9d617c0-master. This vulnerability affects the function swf_def_bits_jpeg of the file src/scene_manager/swf_parse.c of the component MP4Box. The manipulation of the argument szName results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. The patch is identified as 8961c74f87ae3fe2d3352e622f7730ca96d50cf1. A patch should be applied to remediate this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4185
EUVD
EUVD-2026-12241
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpac gpac to 2.5-DEV-rev2167-gcc9d617c0-master (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the GPAC software, specifically in the function swf_def_bits_jpeg within the file src/scene_manager/swf_parse.c of the MP4Box component. It is caused by improper handling of the argument szName, which leads to a stack-based buffer overflow. This means that an attacker can manipulate input data to overwrite parts of the program's memory, potentially causing unexpected behavior or allowing code execution.

The vulnerability can be exploited remotely, meaning an attacker does not need local access to the system to launch an attack. A public exploit is available, increasing the risk of exploitation. A patch has been identified and should be applied to fix this issue.

Impact Analysis

Exploitation of this vulnerability can lead to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code, crash the application, or cause denial of service. Since the attack can be launched remotely, it increases the risk of unauthorized access or disruption of services that use the vulnerable GPAC component.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should apply the patch identified as 8961c74f87ae3fe2d3352e622f7730ca96d50cf1 to the affected software.

Since the vulnerability affects the function swf_def_bits_jpeg in the GPAC component MP4Box, updating GPAC to a version that includes this patch will remediate the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4185. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart