CVE-2026-33144

GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36.

CVSS v3 5.8 MEDIUM

5.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.0 / Impact : 4.7

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72
https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg
https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-20 21:17

Updated : 2026-03-23 14:32

NVD link : CVE-2026-33144

Mitre link : CVE-2026-33144

CVE.ORG link : CVE-2026-33144

JSON object : View

Products Affected

No product.

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2026-33144", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 1.0}]}, "published": "2026-03-20T21:17:15.077", "references": [{"url": "https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72", "source": "security-advisories@github.com"}, {"url": "https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg", "source": "security-advisories@github.com"}, {"url": "https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36."}, {"lang": "es", "value": "GPAC es un framework multimedia de c\u00f3digo abierto. Antes del commit 86b0e36, se descubri\u00f3 una vulnerabilidad de desbordamiento de b\u00fafer basado en mont\u00edculo (escritura) en GPAC MP4Box. La vulnerabilidad existe en la funci\u00f3n gf_xml_parse_bit_sequence_bs en utils/xml_bin_custom.c al procesar un archivo NHML manipulado que contiene elementos (BitSequence) maliciosos. Un atacante puede explotar esto al proporcionar un archivo NHML especialmente dise\u00f1ado, causando una escritura fuera de l\u00edmites en el mont\u00edculo. Este problema ha sido a trav\u00e9s del commit 86b0e36."}], "lastModified": "2026-03-23T14:32:02.800", "sourceIdentifier": "security-advisories@github.com"}