CVE-2026-15185
Deferred Deferred - Pending Action

Out-of-Bounds Read in GPAC MP4Box via vobsub_read_idx

Vulnerability report for CVE-2026-15185, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VulDB

Description

A vulnerability was determined in GPAC 26.03-DEV. This affects the function vobsub_read_idx of the file /src/media_tools/vobsub.c of the component MP4Box. Executing a manipulation of the argument num_langs can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called 532097084729a936bcdf6a27c41003f3bd7dc3ff. It is best practice to apply a patch to resolve this issue. Two different commits were applied to fix this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
gpac mp4box 26.03-dev
gpac gpac 26.03-dev

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in GPAC 26.03-DEV, specifically in the function vobsub_read_idx within the file /src/media_tools/vobsub.c of the MP4Box component. It involves an out-of-bounds read caused by improper handling of the argument num_langs, which can exceed the bounds of a fixed-size array (langs[32]). This happens when a crafted subtitle index (.idx) file contains repeated language declarations, causing num_langs to surpass the array size and leading to out-of-bounds memory access.

The vulnerability can be triggered locally by providing a malicious subtitle file, potentially causing crashes or denial of service in applications using GPAC or MP4Box. The issue has been publicly disclosed and fixed by applying boundary checks and logic improvements to prevent out-of-bounds access.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

Exploiting this vulnerability can lead to out-of-bounds memory reads, which may cause application crashes (segmentation faults) or denial of service when processing malicious subtitle files. Since the attack requires local access and crafted subtitle files, it could disrupt the normal operation of multimedia applications like GPAC or MP4Box on your system.

Detection Guidance

This vulnerability involves an out-of-bounds read in the vobsub_read_idx function of GPAC's MP4Box component, triggered by a crafted subtitle (.idx) file with excessive or duplicate language entries.

Detection can focus on identifying usage of vulnerable GPAC versions processing suspicious or malformed .idx subtitle files that contain repeated 'id:' declarations exceeding 32 entries.

Since the attack requires local execution and malformed subtitle files, you can detect attempts by monitoring for crashes or segmentation faults in GPAC or MP4Box processes when opening subtitle files.

Suggested commands include:

  • Use process monitoring tools (e.g., `ps`, `top`, `htop`) to watch for GPAC or MP4Box crashes.
  • Check logs for segmentation faults or crashes related to GPAC or MP4Box.
  • Manually inspect .idx subtitle files for repeated 'id:' entries exceeding 32 using commands like `grep -c '^id:' file.idx`.
  • Run GPAC or MP4Box in a controlled environment with suspicious .idx files to observe abnormal behavior or crashes.
Mitigation Strategies

The primary mitigation step is to apply the official patches that fix the out-of-bounds read vulnerability in GPAC's MP4Box component.

The patches include boundary checks on the num_langs argument and improvements in VobSub parsing logic to prevent out-of-bounds memory access.

Additional immediate steps include:

  • Avoid processing untrusted or malformed .idx subtitle files that may contain excessive or duplicate language entries.
  • Restrict local access to systems running vulnerable GPAC versions to prevent local exploitation.
  • Monitor for crashes or abnormal behavior in GPAC or MP4Box and investigate suspicious subtitle files.

Applying the patch identified by commit aa0fb77 (Resource 1) is the best practice to fully resolve this issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15185. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart