CVE-2026-39103
Buffer Overflow in GPAC
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | gpac | to 391dc7f4d234988ea0bc3cc294eb725eddf8f702 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability is a heap-buffer-overflow in GPAC's SVG parser, specifically in the function svg_parse_strings() located in src/scenegraph/svg_attributes.c. It occurs when parsing a maliciously crafted SVG file, causing an out-of-bounds heap read of 1 byte past the allocated memory region. This leads to a crash and can be triggered through the standard SVG file loading process.
The issue involves improper boundary checks when handling string parsing, which allows reading beyond the allocated buffer. The vulnerability affects multiple functions in the SVG parsing path, including gf_svg_parse_attribute(), svg_node_start(), gf_xml_sax_parse_file(), and load_svg_run().
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service (DoS) condition by crashing the GPAC application when it processes a specially crafted SVG file. An attacker can exploit this by providing malicious SVG input that triggers the heap-buffer-overflow, leading to application instability or termination.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or denial-of-service conditions when processing SVG files with GPAC, specifically in the SVG parser component.
Using AddressSanitizer or similar memory error detection tools on a sanitizer-enabled build of GPAC can help identify the heap-buffer-overflow during parsing.
A practical approach is to test GPAC with known maliciously crafted SVG files that trigger the vulnerability, such as the proof-of-concept samples provided by the reporter.
Suggested commands include running GPAC with AddressSanitizer enabled and parsing suspicious SVG files to observe crashes or sanitizer reports.
- Compile GPAC with AddressSanitizer: `CC=clang CFLAGS='-fsanitize=address' cmake . && make`
- Run GPAC on a suspicious SVG file: `./gpac input.svg` and monitor for crashes or sanitizer output.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update GPAC to a version that includes the fix from commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702.
This fix adds proper boundary checks in the `svg_parse_strings()` function to prevent out-of-bounds access.
Until the update can be applied, avoid processing untrusted or malicious SVG files with GPAC to reduce the risk of denial-of-service.