CVE-2026-33144

<!-- PoC for CVE-2026-33144: Heap Overflow in GPAC MP4Box --> <!-- Save as poc.nhml --> <NHML version="1.0"> <!-- Malicious BitSequence element triggering overflow --> <BS name="Overflow" length="99999999"> AAAA...[Truncated]...AAAA </BS> </NHML>

{"cve": {"id": "CVE-2026-33144", "sourceIdentifier": "[email protected]", "published": "2026-03-20T21:17:15.077", "lastModified": "2026-04-14T18:21:42.587", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36."}, {"lang": "es", "value": "GPAC es un framework multimedia de código abierto. Antes del commit 86b0e36, se descubrió una vulnerabilidad de desbordamiento de búfer basado en montículo (escritura) en GPAC MP4Box. La vulnerabilidad existe en la función gf_xml_parse_bit_sequence_bs en utils/xml_bin_custom.c al procesar un archivo NHML manipulado que contiene elementos (BitSequence) maliciosos. Un atacante puede explotar esto al proporcionar un archivo NHML especialmente diseñado, causando una escritura fuera de límites en el montículo. Este problema ha sido a través del commit 86b0e36."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*", "versionEndExcluding": "2026-03-17", "matchCriteriaId": "B06297BA-6A44-4777-BF89-4CFDA06B0A4D"}]}]}], "references": [{"url": "https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}