CVE-2026-14790
Received Received - Intake

Null Pointer Dereference in GPAC Media File Handler

Vulnerability report for CVE-2026-14790, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: VulDB

Description

A flaw has been found in GPAC 26.02.0. This affects the function nhmldump_send_frame of the file src/filters/write_nhml.c of the component Media File Handler. Executing a manipulation can lead to null pointer dereference. The attack requires local access. The exploit has been published and may be used. This patch is called bd1d94e70e3bef364c07c5a1d94eca5c9f56e160. A patch should be applied to remediate this issue. The project explains: "I would consider most of these more as bugs than vulns but anyway they're good to fix".

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gpac gpac 26.02.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a null pointer dereference found in the GPAC media framework, specifically in the function nhmldump_send_frame within the file src/filters/write_nhml.c. It occurs when the code dereferences a pointer that can be NULL due to malformed input or partially initialized objects, leading to a crash of the process.

The issue arises because the function assumes certain state is present without validating pointers properly. Crafted media files or graph descriptions can trigger this flaw, causing a denial of service by crashing the application.

The vulnerability requires local access to exploit and has been addressed by adding boundary checks, validating input sizes, and ensuring proper memory handling to prevent null pointer dereferences and other memory-related issues.

Impact Analysis

This vulnerability can lead to a denial of service condition by crashing the GPAC media processing application when it processes crafted or malformed media files.

Since the flaw causes a null pointer dereference, an attacker with local access can exploit it to cause the application to terminate unexpectedly, potentially disrupting media streaming or processing services.

The impact is limited to availability, as the vulnerability does not allow for code execution or data disclosure, but it can interrupt normal operations.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or denial of service conditions in the GPAC media framework, specifically related to the function nhmldump_send_frame in src/filters/write_nhml.c. Using sanitizer tools such as AddressSanitizer (ASan) or UndefinedBehaviorSanitizer (UBSan) during testing can help identify null pointer dereference issues.

Detection can involve running GPAC with crafted or malformed media files or graph descriptions that may trigger the vulnerability and observing if the process crashes or reports runtime errors related to null pointer dereferences.

Suggested commands include running GPAC under sanitizers on Linux with Clang, for example:

  • Compile GPAC with ASan and UBSan enabled: `clang -fsanitize=address,undefined -g -o gpac ...`
  • Run GPAC with suspicious media files and monitor for sanitizer reports or crashes: `./gpac <media_file>`
Mitigation Strategies

The primary mitigation step is to apply the official patch that fixes this vulnerability, identified by commit bd1d94e70e3bef364c07c5a1d94eca5c9f56e160 in the GPAC project.

This patch includes boundary checks, input validation, and proper memory handling to prevent null pointer dereferences and other memory-related issues.

Additionally, restrict local access to the GPAC media framework to trusted users only, as the attack requires local access.

Avoid processing untrusted or malformed media files until the patch is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14790. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart