Description
A vulnerability was found in GPAC up to 2.5-DEV-rev2167-gcc9d617c0-master. This vulnerability affects the function swf_def_bits_jpeg of the file src/scene_manager/swf_parse.c of the component MP4Box. The manipulation of the argument szName results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. The patch is identified as 8961c74f87ae3fe2d3352e622f7730ca96d50cf1. A patch should be applied to remediate this issue.
References (7)
Core 7
Core References
Permissions Required, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.351091
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.351091
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.769840
Issue Tracking issue-tracking
https://github.com/gpac/gpac/issues/3436
Third Party Advisory exploit
https://github.com/PeterXukt/test_pocs/blob/main/gpac/test.swf
Various Sources product
https://github.com/gpac/gpac/
Scores
CVSS v3
6.3
EPSS
0.0025
EPSS Percentile
16.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-119
CWE-121
Status
published
Products (1)
n/a/GPAC
2.5-DEV-rev2167-gcc9d617c0-master
Published
Mar 16, 2026
Tracked Since
Mar 16, 2026