Login Sign Up

CVE-2026-1415

3.3 LOW
Denial of Service

📋 TL;DR

A null pointer dereference vulnerability exists in GPAC multimedia framework versions up to 2.4.0. Attackers with local access can crash the application by manipulating the Name argument in the gf_media_export_webvtt_metadata function. This affects systems running vulnerable GPAC versions for media processing.

💻 Affected Systems

Products:
  • GPAC Multimedia Framework
Versions: Up to and including version 2.4.0
Operating Systems: All platforms running GPAC
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration when processing WebVTT metadata.

📦 What is this software?

Gpac by Gpac

View all CVEs affecting Gpac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crash leading to denial of service for media processing functionality, potentially disrupting workflows that depend on GPAC.

🟠

Likely Case

Local user causes application crash, interrupting media processing tasks but no privilege escalation or remote impact.

🟢

If Mitigated

Minimal impact with proper access controls limiting local user privileges and application isolation.

🌐 Internet-Facing: LOW - Attack requires local access, cannot be exploited remotely.
🏢 Internal Only: MEDIUM - Local attackers can cause denial of service, but no code execution or privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires local access and specific manipulation of WebVTT metadata processing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit af951b892dfbaaa38336ba2eba6d6a42c25810fd

Vendor Advisory: https://github.com/gpac/gpac/issues/3428

Restart Required: Yes

Instructions:

1. Update GPAC to version after commit af951b892dfbaaa38336ba2eba6d6a42c25810fd
2. Rebuild from source if using custom builds
3. Restart any services using GPAC

🔧 Temporary Workarounds

Restrict local access

all

Limit local user access to systems running GPAC to prevent exploitation

Disable WebVTT processing

all

Avoid processing WebVTT metadata if not required

🧯 If You Can't Patch

  • Implement strict access controls to limit local user privileges
  • Monitor for application crashes and investigate unauthorized local access attempts

🔍 How to Verify

Check if Vulnerable:

Check GPAC version with 'gpac -version' or verify source code contains vulnerable function in src/media_tools/media_export.c

Check Version:

gpac -version 2>&1 | head -1

Verify Fix Applied:

Verify GPAC version is newer than 2.4.0 or contains commit af951b892dfbaaa38336ba2eba6d6a42c25810fd

📡 Detection & Monitoring

Log Indicators:

  • GPAC application crashes
  • Segmentation fault errors in system logs
  • Unexpected termination of media processing tasks

Network Indicators:

  • No network indicators - local exploit only

SIEM Query:

source="*syslog*" AND "gpac" AND ("segmentation fault" OR "crash" OR "SIGSEGV")

📊 Metadata

CVE ID: CVE-2026-1415
CVSS v3 Score: 3.3 (LOW)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-404
EPSS Score: 0.02% exploit probability (4.5th percentile)
Published: January 26, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1415, you might also want to check these:

CVE-2025-38385 7.8

This CVE describes a kernel warning triggered during USB device disconnection in the Linux kernel's ...

Same vulnerability type (CWE-404)
CVE-2022-23033 7.8

This Xen hypervisor vulnerability on ARM systems allows guest virtual machines to retain access to m...

Same vulnerability type (CWE-404)
CVE-2021-0984 7.8

This vulnerability in Android 12 allows local privilege escalation without user interaction. An inco...

Same vulnerability type (CWE-404)