CVE-2026-39103
Analyzed Analyzed - Analysis Complete
Buffer Overflow in GPAC

Publication date: 2026-05-05

Last updated on: 2026-05-29

Assigner: MITRE

Description
Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svg_attributes.c, svg_parse_strings(), gf_svg_parse_attribute()
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-29
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39103
EUVD
EUVD-2026-27349
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpac gpac to 2026-04-01 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a heap-buffer-overflow in GPAC's SVG parser, specifically in the function svg_parse_strings() located in src/scenegraph/svg_attributes.c. It occurs when parsing a maliciously crafted SVG file, causing an out-of-bounds heap read of 1 byte past the allocated memory region. This leads to a crash and can be triggered through the standard SVG file loading process.

The issue involves improper boundary checks when handling string parsing, which allows reading beyond the allocated buffer. The vulnerability affects multiple functions in the SVG parsing path, including gf_svg_parse_attribute(), svg_node_start(), gf_xml_sax_parse_file(), and load_svg_run().

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by crashing the GPAC application when it processes a specially crafted SVG file. An attacker can exploit this by providing malicious SVG input that triggers the heap-buffer-overflow, leading to application instability or termination.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or denial-of-service conditions when processing SVG files with GPAC, specifically in the SVG parser component.

Using AddressSanitizer or similar memory error detection tools on a sanitizer-enabled build of GPAC can help identify the heap-buffer-overflow during parsing.

A practical approach is to test GPAC with known maliciously crafted SVG files that trigger the vulnerability, such as the proof-of-concept samples provided by the reporter.

Suggested commands include running GPAC with AddressSanitizer enabled and parsing suspicious SVG files to observe crashes or sanitizer reports.

  • Compile GPAC with AddressSanitizer: `CC=clang CFLAGS='-fsanitize=address' cmake . && make`
  • Run GPAC on a suspicious SVG file: `./gpac input.svg` and monitor for crashes or sanitizer output.
Mitigation Strategies

The immediate mitigation step is to update GPAC to a version that includes the fix from commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702.

This fix adds proper boundary checks in the `svg_parse_strings()` function to prevent out-of-bounds access.

Until the update can be applied, avoid processing untrusted or malicious SVG files with GPAC to reduce the risk of denial-of-service.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39103. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart