CVE-2026-7135
Out-of-Bounds Read in GPAC MP4Box elng_box_read Function
Publication date: 2026-04-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | mp4box | to 26.03-DEV-rev105-g8f39a1eb3-master (inc) |
| gpac | gpac | to 26.03-DEV-rev105-g8f39a1eb3-master (inc) |
| gpac | gpac | to 26.03-DEV-rev105-g8f39a1eb3-master (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7135 is a security flaw in the GPAC multimedia framework, specifically in the function elng_box_read within the MP4Box component. The vulnerability arises from improper handling of 64-bit box sizes when parsing MP4 files containing an 'elng' (Extended Language) box with a largesize header.
The issue is that the 64-bit size value is truncated to 32 bits when allocating memory and reading data, causing the allocated buffer to be much smaller than expected. However, the original 64-bit size is still used for indexing, leading to out-of-bounds reads and writes approximately 4 GB beyond the allocated buffer.
This results in heap out-of-bounds read and write vulnerabilities, which can cause heap metadata corruption and potentially allow exploitation. The vulnerability can be triggered locally by processing a maliciously crafted MP4 file.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing the behavior of the GPAC MP4Box tool when processing crafted MP4 files containing an elng (Extended Language) box with a largesize header exceeding the 32-bit range. Running MP4Box with AddressSanitizer enabled on such crafted files can reveal segmentation faults caused by heap out-of-bounds reads and writes.
A proof-of-concept Python script (poc_elng.py) can be used to generate a malicious MP4 file that triggers the vulnerability. Executing the command `MP4Box -info poc_elng.mp4` on this file will cause a crash if the system is vulnerable.
Detection commands include:
- Use AddressSanitizer-enabled MP4Box to process suspicious MP4 files: `MP4Box -info suspicious_file.mp4`
- Monitor for segmentation faults or crashes during MP4 parsing.
- Use the provided PoC script to generate test files and verify if the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the affected GPAC component to a version that includes the patch cf6ac48c972eaaee2af270adc3f36615325deb3e, which adds proper boundary checks to prevent integer overflow and out-of-bounds memory access.
Until the upgrade can be applied, avoid processing untrusted or malicious MP4 files that may contain crafted elng boxes with largesize headers.
Additional mitigation includes running MP4Box with security tools such as AddressSanitizer to detect abnormal behavior and crashes.
How can this vulnerability impact me? :
This vulnerability can lead to several impacts including:
- Heap out-of-bounds read, potentially leaking sensitive memory contents.
- Heap out-of-bounds write, which can corrupt heap metadata and enable further exploitation.
- Denial of Service (DoS) by causing crashes when parsing malicious MP4 files.
- Potential local exploitation if an attacker can supply crafted MP4 files to vulnerable software using GPAC.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in GPAC's elng_box_read function leads to out-of-bounds heap reads and writes, which can cause memory corruption and potential data leakage.
Such memory safety violations could potentially expose sensitive data if exploited, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information.
However, the vulnerability requires local access and crafted MP4 files to trigger, limiting the attack vector.
No explicit information is provided about direct compliance impact or regulatory violations in the provided context.