VYPR
← All advisories
Low severity3.3NVD Advisory· Published May 26, 2026· Updated May 26, 2026

CVE-2026-9567

CVE-2026-9567

Description

A security flaw has been discovered in GPAC up to 2.4.0. Affected is the function MergeFragment of the file src/isomedia/isom_intern.c of the component MP4Box. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is identified as 525bf1af642c30af04e4df5345e6d798c0a4d8a1. It is advisable to implement a patch to correct this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Null pointer dereference in GPAC MP4Box's MergeFragment function leads to denial of service via malformed MP4 file; fixed in commit 525bf1a.

Vulnerability

In GPAC up to version 2.4.0, the function MergeFragment in src/isomedia/isom_intern.c of the MP4Box component can dereference a null pointer when processing a crafted MP4 file. The flaw occurs because the code does not verify whether the private_data pointer from a protection system header box is non-null before using it [2][3]. This affects all GPAC releases up to 2.4.0.

Exploitation

An attacker with local access can trigger the vulnerability by providing a malformed MP4 file to MP4Box -hint. No authentication or special privileges are needed beyond the ability to run the MP4Box binary. Public exploit code has been released [2].

Impact

Successful exploitation results in a null pointer dereference, typically causing a crash (denial of service). The CVSS v3 base score is 3.3 (Low), indicating limited impact on availability, with no confidentiality or integrity compromise.

Mitigation

The vulnerability is fixed in commit 525bf1af642c30af04e4df5345e6d798c0a4d8a1 [3]. Users should update GPAC to a version that includes this patch or apply the patch manually. No workaround has been published.

References
  1. UBSan: null pointer passed to nonnull argument in MergeFragment via MP4Box -hint
  2. add nullguard in MergeFragment() (fixes #3549) · makesoftwaresafe/gpac@525bf1a

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Gpac/Gpacreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=2.4.0

Patches

1
525bf1af642c

add nullguard in MergeFragment() (fixes #3549)

https://github.com/makesoftwaresafe/gpacAurelien DavidApr 29, 2026via nvd-ref
commit
1 file changed · +8 4
  • src/isomedia/isom_intern.c+8 4 modified
    @@ -168,12 +168,16 @@ GF_Err MergeFragment(GF_MovieFragmentBox *moof, GF_ISOFile *mov)
 
 					memmove(pssh->KIDs, ((GF_ProtectionSystemHeaderBox *)a)->KIDs, pssh->KID_count*sizeof(bin128));
 				}
-				pssh->private_data_size = ((GF_ProtectionSystemHeaderBox *)a)->private_data_size;
-				pssh->private_data = (u8 *)gf_malloc(pssh->private_data_size*sizeof(char));
-				if (!pssh->private_data) return GF_OUT_OF_MEM;
-				memmove(pssh->private_data, ((GF_ProtectionSystemHeaderBox *)a)->private_data, pssh->private_data_size);
+				if ( ((GF_ProtectionSystemHeaderBox *)a)->private_data && ((GF_ProtectionSystemHeaderBox *)a)->private_data_size ) {
+					pssh->private_data_size = ((GF_ProtectionSystemHeaderBox *)a)->private_data_size;
+					pssh->private_data = (u8 *)gf_malloc(pssh->private_data_size*sizeof(char));
+					if (!pssh->private_data) return GF_OUT_OF_MEM;
+					memmove(pssh->private_data, ((GF_ProtectionSystemHeaderBox *)a)->private_data, pssh->private_data_size);
+				}
+
 				pssh->moof_defined = 1;
 				mov->has_pssh_moof = GF_TRUE;
+
 			}
 		}
 	}

Vulnerability mechanics

Root cause

"Missing null-pointer check on `private_data` before passing it to `memmove` in `MergeFragment`."

Attack vector

An attacker provides a crafted MP4 file that contains a malformed `pssh` box within a `moof` fragment [ref_id=1]. When `MP4Box -hint` parses this file, `MergeFragment` copies `private_data` from the source `pssh` box without a null check, causing a null pointer dereference in `memmove` [ref_id=1][patch_id=2566837]. The attack is local — the victim must run `MP4Box` on the attacker-supplied file [ref_id=1]. No authentication or special privileges beyond local file access are required.

Affected code

The vulnerable function is `MergeFragment` in `src/isomedia/isom_intern.c` [ref_id=1]. At line 174 (pre-patch), the code passes `((GF_ProtectionSystemHeaderBox *)a)->private_data` as argument 2 to `memmove` without first checking whether that pointer is NULL [ref_id=1][patch_id=2566837]. The crash occurs when processing a malformed MP4 file via `MP4Box -hint` [ref_id=1].

What the fix does

The patch wraps the `private_data` copy block in a guard that checks both `((GF_ProtectionSystemHeaderBox *)a)->private_data` is non-null and `private_data_size` is non-zero before calling `gf_malloc` and `memmove` [patch_id=2566837][ref_id=2]. This prevents the null pointer from being passed to `memmove`, which is annotated with a `nonnull` attribute on its second argument [ref_id=1]. The commit message describes the change as "add nullguard in MergeFragment()" [patch_id=2566837].

Preconditions

  • inputAttacker must supply a malformed MP4 file with a crafted pssh box that has a null private_data pointer
  • inputVictim must run MP4Box -hint (or another command that triggers MergeFragment) on the malicious file
  • networkAttack is local; no network access required

Reproduction

1. Obtain the malformed MP4 file from the PoC archive attached to [ref_id=1] (poc.zip). 2. Run `MP4Box -hint ./malformed.mp4` (where `malformed.mp4` is the crafted file). 3. Observe the UBSan error "null pointer passed as argument 2, which is declared to never be null" at `isomedia/isom_intern.c:174` and the resulting crash [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.