CVE-2026-14801
Received Received - Intake

Divide by Zero in GPAC TeXML File Handler

Vulnerability report for CVE-2026-14801, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: VulDB

Description

A security vulnerability has been detected in GPAC 26.03-DEV-rev342-g80071f700-master. The impacted element is the function txtin_probe_duration of the file src/filters/load_text.c of the component TeXML File Handler. Such manipulation of the argument txml_timescale leads to divide by zero. An attack has to be approached locally. The name of the patch is 86a5191f2e750c767253e27ed6cfd6d547afebc2. A patch should be applied to remediate this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gpac gpac 26.03-DEV

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-369 The product divides a value by zero.
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is a divide-by-zero error found in the GPAC media processing library, specifically in the TeXML File Handler component. It occurs in the function txtin_probe_duration within the file src/filters/load_text.c. The issue arises because the timeScale attribute from a TeXML subtitle file is parsed without proper validation. If the timeScale value is set to zero, it causes a division by zero during subtitle duration calculation, leading to a crash of the GPAC process.

An attacker can exploit this vulnerability by providing a malicious TeXML file with the timeScale attribute set to zero, causing a denial of service by crashing the application.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition. When a malicious TeXML subtitle file with a zero timeScale is processed, the GPAC application crashes immediately. This crash disrupts the normal operation of the software, potentially causing service interruptions or application downtime.

Detection Guidance

This vulnerability can be detected by attempting to process a specially crafted TeXML subtitle file with the GPAC software version 26.03-DEV. The vulnerability manifests as a divide-by-zero error when the timeScale attribute in the TeXML file is set to zero.

A proof-of-concept file and command have been used to reproduce the issue consistently, indicating that testing GPAC with a TeXML file containing timeScale="0" will trigger the vulnerability.

A suggested command to test this vulnerability would be to run GPAC with a malicious TeXML subtitle file that sets the timeScale attribute to zero and observe if the gpac process crashes.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to apply the patch identified by commit 86a5191f2e750c767253e27ed6cfd6d547afebc2, which fixes the divide-by-zero issue by validating the timeScale value before use.

This patch replaces unsafe numeric parsing methods and adds checks to prevent division by zero, improving stability and security.

Until the patch is applied, avoid processing untrusted or malicious TeXML subtitle files that could exploit this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14801. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart