CVE-2026-9572
Analyzed Analyzed - Analysis Complete
Memory Leak in GPAC MP4Box via Media_GetSample

Publication date: 2026-05-26

Last updated on: 2026-05-28

Assigner: VulDB

Description
A security vulnerability has been detected in GPAC up to 2.4.0. Affected by this issue is the function Media_GetSample of the file src/isomedia/media.c of the component MP4Box. Such manipulation of the argument cat leads to memory leak. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The name of the patch is e79c5cbe8b3fed27f4854ec229457d30c96206f1. It is best practice to apply a patch to resolve this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-28
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-9572
EUVD
EUVD-2026-31955
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gpac gpac to 2.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in the GPAC software up to version 2.4.0, specifically in the Media_GetSample function of the MP4Box component. It is caused by improper handling of a function argument leading to a memory leak. When processing malformed or inconsistent MP4 files during track concatenation, a sample buffer allocated in Media_GetSample is not properly released, causing memory to be wasted.

The issue arises when MP4Box processes malformed ISOBMFF structures, such as unknown boxes or tracks without sample tables, and attempts to concatenate tracks. This leads to a memory leak detectable by LeakSanitizer. The vulnerability can only be exploited locally.

Impact Analysis

The primary impact of this vulnerability is a memory leak in the affected software. Over time, this can cause increased memory usage, potentially leading to degraded system performance or crashes if the memory leak is severe and persistent.

Since the attack can only be performed from a local environment, remote exploitation is not possible. However, local users or processes could trigger the leak by processing malformed MP4 files with MP4Box.

Detection Guidance

This vulnerability manifests as a memory leak in the Media_GetSample() function of GPAC's MP4Box component when processing malformed or inconsistent MP4 files, especially during track concatenation with the -cat option.

Detection can be performed by monitoring memory usage of MP4Box processes when handling suspicious or malformed MP4 files, or by using memory leak detection tools such as LeakSanitizer.

  • Run MP4Box with the -cat option on potentially malformed MP4 files and observe memory usage.
  • Use LeakSanitizer or similar tools to detect memory leaks during MP4Box execution.
  • Example command to run LeakSanitizer with MP4Box: `LSAN_OPTIONS=verbosity=1 ./MP4Box -cat malformed.mp4`
Mitigation Strategies

The best immediate mitigation step is to apply the official patch that fixes the vulnerability. This patch prevents the memory leak by adding checks to avoid zero-size memory allocations in the Media_GetSample() function.

If patching is not immediately possible, avoid processing malformed or suspicious MP4 files with MP4Box, especially using the -cat option, as this triggers the memory leak.

Monitor and limit local access to the vulnerable GPAC installation since the attack requires local environment access.

  • Apply the patch identified by commit e79c5cbe8b3fed27f4854ec229457d30c96206f1 from the GPAC repository.
  • Restrict local user permissions to prevent exploitation.
  • Avoid using MP4Box -cat on untrusted or malformed MP4 files.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9572. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart