CVE-2026-1418 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Gpac

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787 — Out-of-bounds Write CWE-166 — Improper Handling of Missing Special Element CWE-476 — NULL Pointer Dereference10 documents6 sources

Severity

4.8MEDIUMNVD

EPSS

0.0%

top 98.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Gpac Debian Gpac

Timeline

PublishedJan 26

Latest updateMar 25

Description

A security vulnerability has been detected in GPAC up to 2.4.0. This affects the function gf_text_import_srt_bifs of the file src/scene_manager/text_to_bifs.c of the component SRT Subtitle Import. Such manipulation leads to out-of-bounds write. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 10c73b82cf0e367383d091db38566a0e4fe71772. It is best practice to apply a patch to resolve this issue.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDgpac/gpac2.4.0

▶CVEListV5gpac/gpac5 versions+4

▶debiandebian/gpac

▶Linuxlinux/linux_kernel4.14.0 — 6.1.167+4

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()↗2026-03-25

▶

OSV

CVE-2026-1418: A security vulnerability has been detected in GPAC up to 2↗2026-01-26

▶

GHSA

GHSA-5j8r-5f3r-4w9p: A security vulnerability has been detected in GPAC up to 2↗2026-01-26

▶

📋Vendor Advisories

Red Hat

kernel: ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()↗2026-03-25

▶

Debian

CVE-2026-1418: gpac - A security vulnerability has been detected in GPAC up to 2.4.0. This affects the...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-1418 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶