CVE-2026-27821
📋 TL;DR
A stack buffer overflow vulnerability in GPAC multimedia framework allows attackers to execute arbitrary code or crash applications by providing malicious NHML files. This affects all systems running GPAC versions up to 26.02.0 that process NHML files. The vulnerability is in the NHML parser's handling of XML attributes.
💻 Affected Systems
- GPAC (GPAC Project on Multimedia Open Source Development)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Application crash (denial of service) with potential for limited code execution depending on exploit sophistication.
If Mitigated
Denial of service only if exploit attempts are blocked or fail to achieve code execution.
🎯 Exploit Status
Exploitation requires delivering a malicious NHML file to be parsed. The strcpy() vulnerability is straightforward to trigger.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 9bd7137fded2db40de61a2cf3045812c8741ec52
Vendor Advisory: https://github.com/gpac/gpac/security/advisories/GHSA-q7qh-8r2r-q559
Restart Required: Yes
Instructions:
1. Update GPAC to version after commit 9bd7137fded2db40de61a2cf3045812c8741ec52. 2. Rebuild applications using GPAC libraries. 3. Restart services using GPAC.
🔧 Temporary Workarounds
Disable NHML file processing
allBlock or filter NHML files from being processed by GPAC applications
# Configure application to reject .nhml files
# Use file type filtering in web applications
Input validation
allImplement strict input validation for XML attributes before passing to GPAC
# Validate xmlHeaderEnd attribute length < 1000 bytes before processing
🧯 If You Can't Patch
- Implement network segmentation to isolate GPAC systems
- Deploy application control to prevent execution of untrusted NHML files
🔍 How to Verify
Check if Vulnerable:
Check GPAC version: gpac -version. If version is 26.02.0 or earlier, system is vulnerable.Check Version:
gpac -version 2>/dev/null || gpac --versionVerify Fix Applied:
Verify GPAC version is after commit 9bd7137fded2db40de61a2cf3045812c8741ec52. Test with sample NHML files containing long xmlHeaderEnd attributes.📡 Detection & Monitoring
Log Indicators:
- GPAC segmentation faults or crashes when processing NHML files
- Unusually large XML attribute values in application logs
Network Indicators:
- NHML file transfers to systems running GPAC
- HTTP requests with .nhml extensions
SIEM Query:
process:gpac AND (event:segfault OR event:crash) AND file_extension:nhml