Description
A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this vulnerability is the function svgin_process of the file src/filters/load_svg.c of the component SVG Parser. The manipulation leads to out-of-bounds write. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The identifier of the patch is 7618d7206cdeb3c28961dc97ab0ecabaff0c8af2. It is suggested to install a patch to address this issue.
References (7)
Core 7
Core References
Permissions Required, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.350538
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.350538
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.769798
Issue Tracking issue-tracking
https://github.com/gpac/gpac/issues/3468
Exploit, Third Party Advisory exploit
https://github.com/user-attachments/files/25494042/poc_dims_oob.py
Various Sources product
https://github.com/gpac/gpac/
Scores
CVSS v3
5.3
EPSS
0.0002
EPSS Percentile
5.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-119
CWE-787
Status
published
Published
Mar 12, 2026
Tracked Since
Mar 12, 2026