CVE-2026-9567
Deferred Deferred - Pending Action
Null Pointer Dereference in GPAC MP4Box

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: VulDB

Description
A security flaw has been discovered in GPAC up to 2.4.0. Affected is the function MergeFragment of the file src/isomedia/isom_intern.c of the component MP4Box. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is identified as 525bf1af642c30af04e4df5345e6d798c0a4d8a1. It is advisable to implement a patch to correct this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-9567
EUVD
EUVD-2026-31945
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
gpac mp4box to 2.4.0 (inc)
gpac gpac to 2.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a security flaw in the GPAC software, specifically in the MergeFragment function of the MP4Box component. It occurs when processing a malformed or corrupted MP4 file, which causes a null pointer dereference. This means the program tries to use a null pointer as if it were valid, leading to a crash (SIGABRT) due to undefined behavior. The issue arises because certain fields are accessed without checking if they are null or zero, causing memory allocation or copying operations to fail.

The vulnerability requires local access to exploit and has been publicly disclosed along with a patch that adds proper null checks to prevent the crash.

Impact Analysis

This vulnerability can cause the MP4Box program to crash when processing a specially crafted malformed MP4 file. The crash results from a null pointer dereference, which leads to the program aborting unexpectedly.

An attacker with local access could exploit this flaw to cause denial of service by crashing the application. However, there is no indication that this vulnerability allows for code execution, data leakage, or privilege escalation.

Detection Guidance

This vulnerability can be detected by processing potentially malformed MP4 files with the MP4Box tool and observing if it crashes with an UndefinedBehaviorSanitizer (UBSan) error in the MergeFragment() function.

A practical detection method is to run MP4Box with the -hint option on suspicious or untrusted MP4 files and check for crashes or SIGABRT signals indicating a null pointer dereference.

  • mp4box -hint suspicious_file.mp4

If the program aborts with a SIGABRT or reports a UBSan error related to null pointer usage in isomedia/isom_intern.c, this indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to apply the patch identified by commit 525bf1af642c30af04e4df5345e6d798c0a4d8a1, which adds null checks in the MergeFragment() function to prevent null pointer dereference.

Until the patch is applied, avoid processing untrusted or malformed MP4 files with MP4Box to reduce the risk of triggering the vulnerability.

Ensure that your MP4Box installation is updated to a version that includes this fix.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9567. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart