CVE-2026-33144

{"id": "CVE-2026-33144", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 1.0}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-03-20T21:17:15.077", "references": [{"url": "https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36."}, {"lang": "es", "value": "GPAC es un framework multimedia de c\u00f3digo abierto. Antes del commit 86b0e36, se descubri\u00f3 una vulnerabilidad de desbordamiento de b\u00fafer basado en mont\u00edculo (escritura) en GPAC MP4Box. La vulnerabilidad existe en la funci\u00f3n gf_xml_parse_bit_sequence_bs en utils/xml_bin_custom.c al procesar un archivo NHML manipulado que contiene elementos (BitSequence) maliciosos. Un atacante puede explotar esto al proporcionar un archivo NHML especialmente dise\u00f1ado, causando una escritura fuera de l\u00edmites en el mont\u00edculo. Este problema ha sido a trav\u00e9s del commit 86b0e36."}], "lastModified": "2026-04-14T18:21:42.587", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B06297BA-6A44-4777-BF89-4CFDA06B0A4D", "versionEndExcluding": "2026-03-17"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}