Gpac
by Gpac
Source repositories
CVEs (414)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-1415 | Low | 0.14 | 3.3 | 0.00 | Jan 26, 2026 | A vulnerability was identified in GPAC up to 2.4.0. Affected is the function gf_media_export_webvtt_metadata of the file src/media_tools/media_export.c. The manipulation of the argument Name leads to null pointer dereference. The attack must be carried out locally. The exploit… | ||
| CVE-2026-10565 | Low | 0.13 | 3.1 | 0.00 | Jun 2, 2026 | A security flaw has been discovered in Open5GS up to 2.7.6. The impacted element is the function gmm_state_security_mode of the file src/amf/gmm-sm.c of the component NGAP Handover. Performing a manipulation results in race condition. The attack can be initiated remotely. The… | ||
| CVE-2026-13523 | 0.00 | — | 0.00 | Jun 30, 2026 | A weakness has been identified in GPAC up to 26.02.0. This affects an unknown part of the file src/utils/base_encoding.c of the component ISOBMFF Parser. Executing a manipulation can lead to highly compressed data. The attack needs to be launched locally. The exploit has been… | |||
| CVE-2025-60473 | 0.00 | — | 0.00 | Jun 24, 2026 | A NULL pointer dereference in the gf_filter_in_parent_chain function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file. | |||
| CVE-2025-60471 | 0.00 | — | 0.00 | Jun 24, 2026 | A use-after-free in the gf_filter_pid_reconfigure_task_discard function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file. | |||
| CVE-2025-60468 | 0.00 | — | 0.00 | Jun 24, 2026 | GPAC Multimedia Open Source Project GPAC Project/MP4Box 2.5-DEV-rev1593-gfe88c3545-master is affected by: Buffer Overflow. The impact is: cause a denial of service (local). The component is: filter_core/filter_pid.c (L:574-580): function gf_filter_pid_inst_swap_delete_task()… | |||
| CVE-2025-60467 | 0.00 | — | 0.01 | Jun 24, 2026 | A use-after-free in the gf_filter_pid_inst_swap_delete_task function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file. | |||
| CVE-2025-60474 | 0.00 | — | 0.01 | Jun 24, 2026 | A buffer overflow in the gf_media_import function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input. | |||
| CVE-2025-60466 | 0.00 | — | 0.00 | Jun 24, 2026 | A use-after-free in the gf_filter_pid_get_packet function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file. | |||
| CVE-2025-55639 | 0.00 | — | 0.00 | Jun 23, 2026 | GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file. | |||
| CVE-2026-27821 | 0.00 | — | 0.00 | Feb 26, 2026 | GPAC is an open-source multimedia framework. In versions up to and including 26.02.0, a stack buffer overflow occurs during NHML file parsing in `src/filters/dmx_nhml.c`. The value of the xmlHeaderEnd XML attribute is copied from att->value into szXmlHeaderEnd[1000] using… | |||
| CVE-2025-70305 | 0.00 | — | 0.00 | Jan 15, 2026 | A stack overflow in the dmx_saf function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .saf file. | |||
| CVE-2025-70303 | 0.00 | — | 0.00 | Jan 15, 2026 | A heap overflow in the uncv_parse_config() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file. | |||
| CVE-2025-70307 | 0.00 | — | 0.00 | Jan 15, 2026 | A stack overflow in the dump_ttxt_sample function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet. | |||
| CVE-2025-70309 | 0.00 | — | 0.00 | Jan 15, 2026 | A stack overflow in the pcmreframe_flush_packet function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted WAV file. | |||
| CVE-2025-70310 | 0.00 | — | 0.00 | Jan 15, 2026 | A heap overflow in the vorbis_to_intern() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .ogg file. | |||
| CVE-2025-70298 | 0.00 | — | 0.00 | Jan 15, 2026 | GPAC v2.4.0 was discovered to contain an out-of-bounds read in the oggdmx_parse_tags function. | |||
| CVE-2025-70302 | 0.00 | — | 0.00 | Jan 15, 2026 | A heap overflow in the ghi_dmx_declare_opid_bin() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | |||
| CVE-2025-70299 | 0.00 | — | 0.00 | Jan 15, 2026 | A heap overflow in the avi_parse_input_file() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted AVI file. | |||
| CVE-2025-70308 | 0.00 | — | 0.00 | Jan 15, 2026 | An out-of-bounds read in the GSF demuxer filter component of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .gsf file. |
- risk 0.14cvss 3.3epss 0.00
A vulnerability was identified in GPAC up to 2.4.0. Affected is the function gf_media_export_webvtt_metadata of the file src/media_tools/media_export.c. The manipulation of the argument Name leads to null pointer dereference. The attack must be carried out locally. The exploit…
- risk 0.13cvss 3.1epss 0.00
A security flaw has been discovered in Open5GS up to 2.7.6. The impacted element is the function gmm_state_security_mode of the file src/amf/gmm-sm.c of the component NGAP Handover. Performing a manipulation results in race condition. The attack can be initiated remotely. The…
- CVE-2026-13523Jun 30, 2026risk 0.00cvss —epss 0.00
A weakness has been identified in GPAC up to 26.02.0. This affects an unknown part of the file src/utils/base_encoding.c of the component ISOBMFF Parser. Executing a manipulation can lead to highly compressed data. The attack needs to be launched locally. The exploit has been…
- CVE-2025-60473Jun 24, 2026risk 0.00cvss —epss 0.00
A NULL pointer dereference in the gf_filter_in_parent_chain function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file.
- CVE-2025-60471Jun 24, 2026risk 0.00cvss —epss 0.00
A use-after-free in the gf_filter_pid_reconfigure_task_discard function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
- CVE-2025-60468Jun 24, 2026risk 0.00cvss —epss 0.00
GPAC Multimedia Open Source Project GPAC Project/MP4Box 2.5-DEV-rev1593-gfe88c3545-master is affected by: Buffer Overflow. The impact is: cause a denial of service (local). The component is: filter_core/filter_pid.c (L:574-580): function gf_filter_pid_inst_swap_delete_task()…
- CVE-2025-60467Jun 24, 2026risk 0.00cvss —epss 0.01
A use-after-free in the gf_filter_pid_inst_swap_delete_task function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
- CVE-2025-60474Jun 24, 2026risk 0.00cvss —epss 0.01
A buffer overflow in the gf_media_import function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input.
- CVE-2025-60466Jun 24, 2026risk 0.00cvss —epss 0.00
A use-after-free in the gf_filter_pid_get_packet function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted media file.
- CVE-2025-55639Jun 23, 2026risk 0.00cvss —epss 0.00
GPAC MP4Box v2.4 was discovered to contain a NULL pointer dereference in the gf_isom_add_track_kind() function at isomedia/isom_write.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
- CVE-2026-27821Feb 26, 2026risk 0.00cvss —epss 0.00
GPAC is an open-source multimedia framework. In versions up to and including 26.02.0, a stack buffer overflow occurs during NHML file parsing in `src/filters/dmx_nhml.c`. The value of the xmlHeaderEnd XML attribute is copied from att->value into szXmlHeaderEnd[1000] using…
- CVE-2025-70305Jan 15, 2026risk 0.00cvss —epss 0.00
A stack overflow in the dmx_saf function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .saf file.
- CVE-2025-70303Jan 15, 2026risk 0.00cvss —epss 0.00
A heap overflow in the uncv_parse_config() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
- CVE-2025-70307Jan 15, 2026risk 0.00cvss —epss 0.00
A stack overflow in the dump_ttxt_sample function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet.
- CVE-2025-70309Jan 15, 2026risk 0.00cvss —epss 0.00
A stack overflow in the pcmreframe_flush_packet function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted WAV file.
- CVE-2025-70310Jan 15, 2026risk 0.00cvss —epss 0.00
A heap overflow in the vorbis_to_intern() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .ogg file.
- CVE-2025-70298Jan 15, 2026risk 0.00cvss —epss 0.00
GPAC v2.4.0 was discovered to contain an out-of-bounds read in the oggdmx_parse_tags function.
- CVE-2025-70302Jan 15, 2026risk 0.00cvss —epss 0.00
A heap overflow in the ghi_dmx_declare_opid_bin() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
- CVE-2025-70299Jan 15, 2026risk 0.00cvss —epss 0.00
A heap overflow in the avi_parse_input_file() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted AVI file.
- CVE-2025-70308Jan 15, 2026risk 0.00cvss —epss 0.00
An out-of-bounds read in the GSF demuxer filter component of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted .gsf file.
Page 3 of 21