CVE-2019-15146
Description
GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4 bytes) in GPMF_Next in GPMF_parser.c.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read in GPMF_Next, allowing code execution via crafted MP4.
Vulnerability
GoPro GPMF-parser version 1.2.2 contains a heap-based buffer over-read of 4 bytes in the GPMF_Next function in GPMF_parser.c [1]. The vulnerability occurs when parsing specially crafted MP4 files, allowing read beyond allocated heap memory.
Exploitation
An attacker can exploit this by providing a malicious MP4 file to the parser. No special privileges are required; the parser is often used in media processing pipelines. The over-read can lead to information disclosure or potentially a crash, but careful manipulation may allow code execution [2].
Impact
Successful exploitation could result in disclosure of sensitive heap memory or, under controlled conditions, arbitrary code execution with the privileges of the parsing process.
Mitigation
The issue is fixed in commit 341f12c [1]. Users should update to a version after this commit (e.g., 1.2.3 or later). No workarounds are documented.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- GoPro/GPMF-parserdescription
- Range: =1.2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/gopro/gpmf-parser/commit/341f12cd5b97ab419e53853ca00176457c9f1681mitrex_refsource_MISC
- github.com/gopro/gpmf-parser/issues/60mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.