CVE-2026-1416 – A null pointer dereference vulnerability exists... (How to Fix)

📋 TL;DR

A null pointer dereference vulnerability exists in GPAC's DumpMovieInfo function, allowing local attackers to cause denial of service through application crashes. This affects GPAC versions up to 2.4.0 when processing malicious MP4 files. The vulnerability requires local access to exploit.

💻 Affected Systems

Products:

GPAC
MP4Box

Versions: All versions up to 2.4.0

Operating Systems: All platforms running GPAC

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the filedump.c component and requires processing of malicious MP4 files

📦 What is this software?

Gpac by Gpac

View all CVEs affecting Gpac →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crash leading to denial of service for MP4 processing functionality

🟠

Likely Case

Local user causes GPAC/mp4box to crash when processing specially crafted files

🟢

If Mitigated

Minimal impact with proper access controls limiting local user privileges

🌐 Internet-Facing: LOW - Attack requires local access, cannot be exploited remotely

🏢 Internal Only: MEDIUM - Local users could disrupt MP4 processing services or cause application instability

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access and ability to feed malicious MP4 files to vulnerable application

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit d45c264c20addf0c1cc05124ede33f8ffa800e68

Vendor Advisory: https://github.com/gpac/gpac/issues/3427

Restart Required: Yes

Instructions:

1. Update GPAC to version after 2.4.0 or apply commit d45c264c20addf0c1cc05124ede33f8ffa800e68
2. Recompile GPAC from source if using custom build
3. Restart any services using GPAC/MP4Box

🔧 Temporary Workarounds

Restrict local user access

linux

Limit which users can execute GPAC/MP4Box or process MP4 files

chmod 750 /usr/bin/mp4box
setfacl -m u:username:rx /usr/bin/mp4box

Input validation wrapper

all

Create wrapper script that validates MP4 files before passing to GPAC

#!/bin/bash
# Validate file exists and has MP4 signature
if [[ -f "$1" && $(file -b "$1") == *MP4* ]]; then
    mp4box "$1"
else
    echo "Invalid file"
fi

🧯 If You Can't Patch

Implement strict access controls to limit which users can execute GPAC/MP4Box
Monitor for crash logs and restrict users who trigger repeated GPAC crashes

🔍 How to Verify

Check if Vulnerable:

Check GPAC version: mp4box -version | grep 'GPAC'

Check Version:

mp4box -version 2>&1 | head -1

Verify Fix Applied:

Verify commit d45c264c20addf0c1cc05124ede33f8ffa800e68 is present in source or test with known malicious MP4 file

📡 Detection & Monitoring

Log Indicators:

GPAC/mp4box segmentation fault logs
Application crash dumps with null pointer references

Network Indicators:

None - local exploitation only

SIEM Query:

process_name:"mp4box" AND event_type:"crash" OR "segmentation fault"

📊 Metadata

CVE ID: CVE-2026-1416

CVSS v3 Score: 3.3 (LOW)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-404

EPSS Score: 0.02% exploit probability (4.5th percentile)

Published: January 26, 2026

Last Updated: February 23, 2026

🔗 References

https://github.com/enocknt/gpac/commit/d45c264c20addf0c1cc05124ede33f8ffa800e68 Patch
https://github.com/gpac/gpac/
https://github.com/gpac/gpac/issues/3427 Exploit,Issue Tracking,Mitigation,Vendor Advisory
https://github.com/gpac/gpac/issues/3427#issue-3802197432 Exploit,Issue Tracking,Mitigation,Vendor Advisory
https://vuldb.com/?ctiid.342805 Permissions Required,VDB Entry
https://vuldb.com/?id.342805 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.736542 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1416, you might also want to check these: