CVE-2026-1416

A security flaw has been discovered in GPAC up to 2.4.0. Affected by this vulnerability is the function DumpMovieInfo of the file applications/mp4box/filedump.c. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as d45c264c20addf0c1cc05124ede33f8ffa800e68. It is advisable to implement a patch to correct this issue.

CVSS v3 3.3 LOW
CVSS v2.0 1.7 LOW

3.3^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

1.7^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:L/Au:S/C:N/I:N/A:P

Exploitability : 3.1 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://github.com/enocknt/gpac/commit/d45c264c20addf0c1cc05124ede33f8ffa800e68	Patch
https://github.com/gpac/gpac/issues/3427	Exploit Issue Tracking Mitigation Vendor Advisory
https://github.com/gpac/gpac/issues/3427#issue-3802197432	Exploit Issue Tracking Mitigation Vendor Advisory
https://vuldb.com/?ctiid.342805	Permissions Required VDB Entry
https://vuldb.com/?id.342805	Third Party Advisory VDB Entry
https://vuldb.com/?submit.736542	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*

History

28 Jan 2026, 15:18

Type	Values Removed	Values Added
References	~~() https://github.com/enocknt/gpac/commit/d45c264c20addf0c1cc05124ede33f8ffa800e68 -~~	() https://github.com/enocknt/gpac/commit/d45c264c20addf0c1cc05124ede33f8ffa800e68 - Patch
References	~~() https://github.com/gpac/gpac/issues/3427 -~~	() https://github.com/gpac/gpac/issues/3427 - Exploit, Issue Tracking, Mitigation, Vendor Advisory
References	~~() https://github.com/gpac/gpac/issues/3427#issue-3802197432 -~~	() https://github.com/gpac/gpac/issues/3427#issue-3802197432 - Exploit, Issue Tracking, Mitigation, Vendor Advisory
References	~~() https://vuldb.com/?ctiid.342805 -~~	() https://vuldb.com/?ctiid.342805 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.342805 -~~	() https://vuldb.com/?id.342805 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.736542 -~~	() https://vuldb.com/?submit.736542 - Third Party Advisory, VDB Entry
First Time		Gpac Gpac gpac
CPE		cpe:2.3:a:gpac:gpac::::::::

26 Jan 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-26 04:16

Updated : 2026-01-28 15:18

NVD link : CVE-2026-1416

Mitre link : CVE-2026-1416

CVE.ORG link : CVE-2026-1416

JSON object : View

Products Affected

gpac

gpac

CWE

CWE-404

Improper Resource Shutdown or Release

CWE-476

NULL Pointer Dereference

3.3 /10

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

1.7 /10

Access Vector LOCAL

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2026-1416

3.3^/10

1.7^/10

Attach tags to `CVE-2026-1416`