CVE-2026-9572
Memory Leak in GPAC MP4Box via Media_GetSample
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gpac | gpac | to 2.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The best immediate mitigation step is to apply the official patch that fixes the vulnerability. This patch prevents the memory leak by adding checks to avoid zero-size memory allocations in the Media_GetSample() function.
If patching is not immediately possible, avoid processing malformed or suspicious MP4 files with MP4Box, especially using the -cat option, as this triggers the memory leak.
Monitor and limit local access to the vulnerable GPAC installation since the attack requires local environment access.
- Apply the patch identified by commit e79c5cbe8b3fed27f4854ec229457d30c96206f1 from the GPAC repository.
- Restrict local user permissions to prevent exploitation.
- Avoid using MP4Box -cat on untrusted or malformed MP4 files.
Can you explain this vulnerability to me?
This vulnerability exists in the GPAC software up to version 2.4.0, specifically in the Media_GetSample function of the MP4Box component. It is caused by improper handling of a function argument leading to a memory leak. When processing malformed or inconsistent MP4 files during track concatenation, a sample buffer allocated in Media_GetSample is not properly released, causing memory to be wasted.
The issue arises when MP4Box processes malformed ISOBMFF structures, such as unknown boxes or tracks without sample tables, and attempts to concatenate tracks. This leads to a memory leak detectable by LeakSanitizer. The vulnerability can only be exploited locally.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a memory leak in the affected software. Over time, this can cause increased memory usage, potentially leading to degraded system performance or crashes if the memory leak is severe and persistent.
Since the attack can only be performed from a local environment, remote exploitation is not possible. However, local users or processes could trigger the leak by processing malformed MP4 files with MP4Box.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a memory leak in the Media_GetSample() function of GPAC's MP4Box component when processing malformed or inconsistent MP4 files, especially during track concatenation with the -cat option.
Detection can be performed by monitoring memory usage of MP4Box processes when handling suspicious or malformed MP4 files, or by using memory leak detection tools such as LeakSanitizer.
- Run MP4Box with the -cat option on potentially malformed MP4 files and observe memory usage.
- Use LeakSanitizer or similar tools to detect memory leaks during MP4Box execution.
- Example command to run LeakSanitizer with MP4Box: `LSAN_OPTIONS=verbosity=1 ./MP4Box -cat malformed.mp4`
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.