CVE-2026-33144 — Out-of-bounds Write in Gpac

CWE-787 — Out-of-bounds Write4 documents4 sources

Severity

5.8MEDIUMNVD

EPSS

0.0%

top 95.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gpac Debian Gpac

Timeline

PublishedMar 20

Description

GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:HExploitability: 1.0 | Impact: 4.7

Affected Packages2 packages

▶CVEListV5gpac/gpac< 86b0e36ea4c71402fbdaf7e13d73ba8841003e72

▶debiandebian/gpac

🔴Vulnerability Details

OSV

CVE-2026-33144: GPAC is an open-source multimedia framework↗2026-03-20

▶

📋Vendor Advisories

Debian

CVE-2026-33144: gpac - GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-bas...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33144 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶