CVE-2026-7135
Received Received - Intake
Out-of-Bounds Read in GPAC MP4Box elng_box_read Function

Publication date: 2026-04-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in GPAC up to 26.03-DEV-rev105-g8f39a1eb3-master. Affected by this vulnerability is the function elng_box_read of the file src/isomedia/box_code_base.c of the component MP4Box. Performing a manipulation of the argument elng results in out-of-bounds read. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is named cf6ac48c972eaaee2af270adc3f36615325deb3e. The affected component should be upgraded.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7135
EUVD
EUVD-2026-25873
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
gpac mp4box to 26.03-DEV-rev105-g8f39a1eb3-master (inc)
gpac gpac to 26.03-DEV-rev105-g8f39a1eb3-master (inc)
gpac gpac to 26.03-DEV-rev105-g8f39a1eb3-master (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7135 is a security flaw in the GPAC multimedia framework, specifically in the function elng_box_read within the MP4Box component. The vulnerability arises from improper handling of 64-bit box sizes when parsing MP4 files containing an 'elng' (Extended Language) box with a largesize header.

The issue is that the 64-bit size value is truncated to 32 bits when allocating memory and reading data, causing the allocated buffer to be much smaller than expected. However, the original 64-bit size is still used for indexing, leading to out-of-bounds reads and writes approximately 4 GB beyond the allocated buffer.

This results in heap out-of-bounds read and write vulnerabilities, which can cause heap metadata corruption and potentially allow exploitation. The vulnerability can be triggered locally by processing a maliciously crafted MP4 file.

Impact Analysis

This vulnerability can lead to several impacts including:

  • Heap out-of-bounds read, potentially leaking sensitive memory contents.
  • Heap out-of-bounds write, which can corrupt heap metadata and enable further exploitation.
  • Denial of Service (DoS) by causing crashes when parsing malicious MP4 files.
  • Potential local exploitation if an attacker can supply crafted MP4 files to vulnerable software using GPAC.
Detection Guidance

This vulnerability can be detected by analyzing the behavior of the GPAC MP4Box tool when processing crafted MP4 files containing an elng (Extended Language) box with a largesize header exceeding the 32-bit range. Running MP4Box with AddressSanitizer enabled on such crafted files can reveal segmentation faults caused by heap out-of-bounds reads and writes.

A proof-of-concept Python script (poc_elng.py) can be used to generate a malicious MP4 file that triggers the vulnerability. Executing the command `MP4Box -info poc_elng.mp4` on this file will cause a crash if the system is vulnerable.

Detection commands include:

  • Use AddressSanitizer-enabled MP4Box to process suspicious MP4 files: `MP4Box -info suspicious_file.mp4`
  • Monitor for segmentation faults or crashes during MP4 parsing.
  • Use the provided PoC script to generate test files and verify if the system is vulnerable.
Mitigation Strategies

The immediate mitigation step is to upgrade the affected GPAC component to a version that includes the patch cf6ac48c972eaaee2af270adc3f36615325deb3e, which adds proper boundary checks to prevent integer overflow and out-of-bounds memory access.

Until the upgrade can be applied, avoid processing untrusted or malicious MP4 files that may contain crafted elng boxes with largesize headers.

Additional mitigation includes running MP4Box with security tools such as AddressSanitizer to detect abnormal behavior and crashes.

Compliance Impact

The vulnerability in GPAC's elng_box_read function leads to out-of-bounds heap reads and writes, which can cause memory corruption and potential data leakage.

Such memory safety violations could potentially expose sensitive data if exploited, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information.

However, the vulnerability requires local access and crafted MP4 files to trigger, limiting the attack vector.

No explicit information is provided about direct compliance impact or regulatory violations in the provided context.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7135. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart