CVE-2026-7135

A security flaw has been discovered in GPAC up to 26.03-DEV-rev105-g8f39a1eb3-master. Affected by this vulnerability is the function elng_box_read of the file src/isomedia/box_code_base.c of the component MP4Box. Performing a manipulation of the argument elng results in out-of-bounds read. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is named cf6ac48c972eaaee2af270adc3f36615325deb3e. The affected component should be upgraded.

CVSS v3 5.3 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 3.1 / Impact : 6.4

Access Vector LOCAL

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/gpac/gpac/
https://github.com/gpac/gpac/commit/cf6ac48c972eaaee2af270adc3f36615325deb3e
https://github.com/gpac/gpac/issues/3516
https://github.com/gpac/gpac/releases/tag/abi-16.8
https://vuldb.com/submit/800985
https://vuldb.com/vuln/359734
https://vuldb.com/vuln/359734/cti

Configurations

No configuration.

History

27 Apr 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-27 16:16

Updated : 2026-04-29 01:00

NVD link : CVE-2026-7135

Mitre link : CVE-2026-7135

CVE.ORG link : CVE-2026-7135

JSON object : View

Products Affected

No product.

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-125

Out-of-bounds Read

{"id": "CVE-2026-7135", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.1, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "cna@vuldb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 1.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-27T16:16:46.730", "references": [{"url": "https://github.com/gpac/gpac/", "source": "cna@vuldb.com"}, {"url": "https://github.com/gpac/gpac/commit/cf6ac48c972eaaee2af270adc3f36615325deb3e", "source": "cna@vuldb.com"}, {"url": "https://github.com/gpac/gpac/issues/3516", "source": "cna@vuldb.com"}, {"url": "https://github.com/gpac/gpac/releases/tag/abi-16.8", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/submit/800985", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/vuln/359734", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/vuln/359734/cti", "source": "cna@vuldb.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "cna@vuldb.com", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in GPAC up to 26.03-DEV-rev105-g8f39a1eb3-master. Affected by this vulnerability is the function elng_box_read of the file src/isomedia/box_code_base.c of the component MP4Box. Performing a manipulation of the argument elng results in out-of-bounds read. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is named cf6ac48c972eaaee2af270adc3f36615325deb3e. The affected component should be upgraded."}], "lastModified": "2026-04-29T01:00:01.613", "sourceIdentifier": "cna@vuldb.com"}