Jean Le Feuvre

9 exploits Active since Apr 2021
CVE-2025-55664 WRITEUP MEDIUM WRITEUP
GPAC MP4Box 2.4 - Heap-based Buffer Overflow in m2tsdmx_send_packet
A heap buffer overflow in the m2tsdmx_send_packet function (filters/dmx_m2ts.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
CVSS 5.5
CVE-2025-60495 WRITEUP MEDIUM WRITEUP
GPAC Project/MP4Box < 26.02.0 - Denial of Service via Crafted Data File
A segmentation violation in the gf_media_get_color_info function (/media_tools/isom_tools.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted data file.
CVSS 5.5
CVE-2021-30014 WRITEUP MEDIUM WRITEUP
GPAC 0.9.0-1.0.1 - Integer Overflow in HEVC Slice Segment Parser
There is a integer overflow in media_tools/av_parsers.c in the hevc_parse_slice_segment function in GPAC from v0.9.0-preview to 1.0.1 which results in a crash.
CVSS 5.5
CVE-2022-30976 WRITEUP HIGH WRITEUP
GPAC 2.0.0 - Heap-Based Buffer Over-Read via gf_utf8_wcslen Function
GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf8_wcslen) function in utils/utf.c, resulting in a heap-based buffer over-read, as demonstrated by MP4Box.
CVSS 7.1
CVE-2023-23145 WRITEUP HIGH WRITEUP
GPAC 2.2-rev0-gab012bbfb-master - Memory Leak in lsr_read_rare_full Function
GPAC version 2.2-rev0-gab012bbfb-master was discovered to contain a memory leak in lsr_read_rare_full function.
CVSS 7.8
CVE-2026-1415 WRITEUP LOW WRITEUP
gpac < 2.4.0 - Null Pointer Dereference in gf_media_export_webvtt_metadata
A vulnerability was identified in GPAC up to 2.4.0. Affected is the function gf_media_export_webvtt_metadata of the file src/media_tools/media_export.c. The manipulation of the argument Name leads to null pointer dereference. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is af951b892dfbaaa38336ba2eba6d6a42c25810fd. To fix this issue, it is recommended to deploy a patch.
CVSS 3.3
CVE-2026-1416 WRITEUP LOW WRITEUP
gpac < 2.4.0 - Null Pointer Dereference in DumpMovieInfo Function
A security flaw has been discovered in GPAC up to 2.4.0. Affected by this vulnerability is the function DumpMovieInfo of the file applications/mp4box/filedump.c. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as d45c264c20addf0c1cc05124ede33f8ffa800e68. It is advisable to implement a patch to correct this issue.
CVSS 3.3
CVE-2026-1417 WRITEUP LOW WRITEUP
gpac < 2.4.0 - Null Pointer Dereference in dump_isom_rtp Function
A weakness has been identified in GPAC up to 2.4.0. Affected by this issue is the function dump_isom_rtp of the file applications/mp4box/filedump.c. This manipulation causes null pointer dereference. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: f96bd57c3ccdcde4335a0be28cd3e8fe296993de. Applying a patch is the recommended action to fix this issue.
CVSS 3.3
CVE-2026-1418 WRITEUP MEDIUM WRITEUP
GPAC < 2.4.0 - Out-of-Bounds Write in SRT Subtitle Import
A security vulnerability has been detected in GPAC up to 2.4.0. This affects the function gf_text_import_srt_bifs of the file src/scene_manager/text_to_bifs.c of the component SRT Subtitle Import. Such manipulation leads to out-of-bounds write. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 10c73b82cf0e367383d091db38566a0e4fe71772. It is best practice to apply a patch to resolve this issue.
CVSS 5.3