{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33144", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T20:35:49.929Z", "datePublished": "2026-03-20T20:07:58.175Z", "dateUpdated": "2026-03-20T21:22:31.163Z"}, "containers": {"cna": {"title": "GPAC MP4Box Heap Buffer Overflow Write in gf_xml_parse_bit_sequence_bs (NHML BS Parsing)", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg"}, {"name": "https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72", "tags": ["x_refsource_MISC"], "url": "https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72"}], "affected": [{"vendor": "gpac", "product": "gpac", "versions": [{"version": "< 86b0e36ea4c71402fbdaf7e13d73ba8841003e72", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T20:07:58.175Z"}, "descriptions": [{"lang": "en", "value": "GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36."}], "source": {"advisory": "GHSA-3jw5-9pmw-vmfg", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T21:20:35.775326Z", "id": "CVE-2026-33144", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T21:22:31.163Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33144", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T21:20:35.775326Z"}}}], "references": [{"url": "https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T21:20:54.031Z"}}], "cna": {"title": "GPAC MP4Box Heap Buffer Overflow Write in gf_xml_parse_bit_sequence_bs (NHML BS Parsing)", "source": {"advisory": "GHSA-3jw5-9pmw-vmfg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "gpac", "product": "gpac", "versions": [{"status": "affected", "version": "< 86b0e36ea4c71402fbdaf7e13d73ba8841003e72"}]}], "references": [{"url": "https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg", "name": "https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72", "name": "https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T20:07:58.175Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33144", "state": "PUBLISHED", "dateUpdated": "2026-03-20T21:22:31.163Z", "dateReserved": "2026-03-17T20:35:49.929Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T20:07:58.175Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*", "matchCriteriaId": "B06297BA-6A44-4777-BF89-4CFDA06B0A4D", "versionEndExcluding": "2026-03-17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36."}, {"lang": "es", "value": "GPAC es un framework multimedia de c\u00f3digo abierto. Antes del commit 86b0e36, se descubri\u00f3 una vulnerabilidad de desbordamiento de b\u00fafer basado en mont\u00edculo (escritura) en GPAC MP4Box. La vulnerabilidad existe en la funci\u00f3n gf_xml_parse_bit_sequence_bs en utils/xml_bin_custom.c al procesar un archivo NHML manipulado que contiene elementos (BitSequence) maliciosos. Un atacante puede explotar esto al proporcionar un archivo NHML especialmente dise\u00f1ado, causando una escritura fuera de l\u00edmites en el mont\u00edculo. Este problema ha sido a trav\u00e9s del commit 86b0e36."}], "id": "CVE-2026-33144", "lastModified": "2026-04-14T18:21:42.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T21:17:15.077", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,86b0e36ea4c71402fbdaf7e13d73ba8841003e72)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "gpac", "source": "cna", "vendor": "gpac"}, "product": "gpac", "vendor": "gpac"}], "analysis": {"en": {"generated_at": "2026-04-14T22:38:41.839308+00:00", "value": {"mitigation_remediation": ["Apply the official patch that includes commit 86b0e36", "If patching is not possible, avoid processing NHML files from untrusted sources or restrict file permissions to limit exposure", "Check the vendor's website or repository for future updates or additional patches"], "summary": {"action": "Patch", "impact": "Heap Buffer Overflow"}, "threat_synthesis": {"affected_systems": "GPAC is the affected vendor and MP4Box is the relevant component. All releases of GPAC prior to the inclusion of commit 86b0e36e are vulnerable. Users who have not incorporated this commit, regardless of source, remain exposed.", "description_and_impact": "A heap\u2011based buffer overflow occurs in the GPAC MP4Box utility when it parses an NHML file containing malicious <BS> elements. The flaw stems from the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c, where an out\u2011of\u2011bounds write can corrupt memory on the heap. The CVE description does not assert arbitrary code execution; it indicates that such corruption could result in memory corruption or a process crash.", "risk_and_exploitability": "The CVSS score of 5.8 reflects moderate severity, and an EPSS score of less than 1\u202f% implies a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation would require an attacker to supply a specially crafted NHML file to a running MP4Box instance, triggering the overflow during parsing."}}}}, "created": "2026-03-23T09:52:47.216932+00:00", "updated": "2026-04-15T16:45:09.815506+00:00", "vendors": ["gpac", "gpac$PRODUCT$gpac"]}