{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1416", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-25T09:55:16.575Z", "datePublished": "2026-01-26T03:02:07.336Z", "dateUpdated": "2026-02-23T08:55:57.311Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:55:57.311Z"}, "title": "GPAC filedump.c DumpMovieInfo null pointer dereference", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-476", "lang": "en", "description": "NULL Pointer Dereference"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-404", "lang": "en", "description": "Denial of Service"}]}], "affected": [{"vendor": "n/a", "product": "GPAC", "versions": [{"version": "2.0", "status": "affected"}, {"version": "2.1", "status": "affected"}, {"version": "2.2", "status": "affected"}, {"version": "2.3", "status": "affected"}, {"version": "2.4.0", "status": "affected"}], "cpes": ["cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in GPAC up to 2.4.0. Affected by this vulnerability is the function DumpMovieInfo of the file applications/mp4box/filedump.c. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as d45c264c20addf0c1cc05124ede33f8ffa800e68. It is advisable to implement a patch to correct this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-01-25T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-25T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-01-29T02:01:26.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Kery Qi (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.342805", "name": "VDB-342805 | GPAC filedump.c DumpMovieInfo null pointer dereference", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.342805", "name": "VDB-342805 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.736542", "name": "Submit #736542 | gpac v2.4.0 NULL Pointer Dereference", "tags": ["third-party-advisory"]}, {"url": "https://github.com/gpac/gpac/issues/3427", "tags": ["issue-tracking"]}, {"url": "https://github.com/gpac/gpac/issues/3427#issue-3802197432", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/enocknt/gpac/commit/d45c264c20addf0c1cc05124ede33f8ffa800e68", "tags": ["patch"]}, {"url": "https://github.com/gpac/gpac/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T15:26:12.906212Z", "id": "CVE-2026-1416", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T15:26:47.761Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1416", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T15:26:12.906212Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T15:26:42.439Z"}}], "cna": {"tags": ["x_open-source"], "title": "GPAC filedump.c DumpMovieInfo null pointer dereference", "credits": [{"lang": "en", "type": "reporter", "value": "Kery Qi (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*"], "vendor": "n/a", "product": "GPAC", "versions": [{"status": "affected", "version": "2.0"}, {"status": "affected", "version": "2.1"}, {"status": "affected", "version": "2.2"}, {"status": "affected", "version": "2.3"}, {"status": "affected", "version": "2.4.0"}]}], "timeline": [{"lang": "en", "time": "2026-01-25T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-01-25T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-01-29T02:01:26.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.342805", "name": "VDB-342805 | GPAC filedump.c DumpMovieInfo null pointer dereference", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.342805", "name": "VDB-342805 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.736542", "name": "Submit #736542 | gpac v2.4.0 NULL Pointer Dereference", "tags": ["third-party-advisory"]}, {"url": "https://github.com/gpac/gpac/issues/3427", "tags": ["issue-tracking"]}, {"url": "https://github.com/gpac/gpac/issues/3427#issue-3802197432", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/enocknt/gpac/commit/d45c264c20addf0c1cc05124ede33f8ffa800e68", "tags": ["patch"]}, {"url": "https://github.com/gpac/gpac/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in GPAC up to 2.4.0. Affected by this vulnerability is the function DumpMovieInfo of the file applications/mp4box/filedump.c. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as d45c264c20addf0c1cc05124ede33f8ffa800e68. It is advisable to implement a patch to correct this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "NULL Pointer Dereference"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-404", "description": "Denial of Service"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:55:57.311Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1416", "state": "PUBLISHED", "dateUpdated": "2026-02-23T08:55:57.311Z", "dateReserved": "2026-01-25T09:55:16.575Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-01-26T03:02:07.336Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*", "matchCriteriaId": "3569968C-C15E-4091-B538-8B212A2F16CC", "versionEndIncluding": "2.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in GPAC up to 2.4.0. Affected by this vulnerability is the function DumpMovieInfo of the file applications/mp4box/filedump.c. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as d45c264c20addf0c1cc05124ede33f8ffa800e68. It is advisable to implement a patch to correct this issue."}, {"lang": "es", "value": "Se ha descubierto un fallo de seguridad en GPAC hasta 2.4.0. Afectada por esta vulnerabilidad es la funci\u00f3n DumpMovieInfo del archivo applications/mp4box/filedump.c. La manipulaci\u00f3n resulta en desreferencia de puntero nulo. El ataque debe ser iniciado desde una posici\u00f3n local. El exploit ha sido liberado al p\u00fablico y puede ser usado para ataques. El parche es identificado como d45c264c20addf0c1cc05124ede33f8ffa800e68. Es aconsejable implementar un parche para corregir este problema."}], "id": "CVE-2026-1416", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-01-26T04:16:09.960", "references": [{"source": "cna@vuldb.com", "tags": ["Patch"], "url": "https://github.com/enocknt/gpac/commit/d45c264c20addf0c1cc05124ede33f8ffa800e68"}, {"source": "cna@vuldb.com", "url": "https://github.com/gpac/gpac/"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Vendor Advisory"], "url": "https://github.com/gpac/gpac/issues/3427"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Vendor Advisory"], "url": "https://github.com/gpac/gpac/issues/3427#issue-3802197432"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.342805"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.342805"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.736542"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-476"}], "source": "cna@vuldb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T18:51:52.668673+00:00", "value": {"mitigation_remediation": ["Obtain the patch commit (d45c264c20addf0c1cc05124ede33f8ffa800e68) from the GPAC GitHub repository and apply it to the source code before rebuilding or reinstalling GPAC", "Upgrade to the latest GPAC release that includes the patch\u2014verify that the version number is higher than 2.4.0", "Restrict GPAC execution to trusted users or disable the DumpMovieInfo feature if it is not required"], "summary": {"action": "Patch Immediately", "impact": "Local Null Pointer Dereference leading to Process Crash"}, "threat_synthesis": {"affected_systems": "The affected vendor is GPAC, and the issue affects all up to and including 2.4.0. No other versions are presently identified as vulnerable. Users running these versions on any operating system are potentially impacted, as the vulnerability is triggered by local input to the DumpMovieInfo function.", "description_and_impact": "A vulnerability exists in GPAC versions up to 2.4.0 within the DumpMovieInfo function of applications/mp4box/filedump.c. The flaw causes a null pointer dereference when the function processes certain input, which can lead to a crash of the GPAC process. This type of error does not provide an attacker with code execution or privilege escalation capabilities, but it can result in a denial of service by terminating the application.", "risk_and_exploitability": "The CVSS score of 4.8 indicates a moderate severity, and the EPSS score is less than 1%, suggesting that exploitation is unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog. The exploit is publicly available, but the attack vector is local, meaning that an attacker must have the ability to run code on the affected system or provide malicious input directly. Given the public release of the exploit, the risk to systems that run GPAC in an exposed or privileged context remains a moderate concern."}}}}, "created": "2026-01-26T11:47:59.604123+00:00", "updated": "2026-04-18T19:00:08.038606+00:00", "vendors": ["gpac", "gpac$PRODUCT$gpac"]}