CVE-2026-33144 MEDIUM

CVE-2026-33144: GPAC MP4Box Heap Buffer Overflow Write in gf_xml_parse_bit_sequence_bs (NHML BS Parsing)

Vendor Gpac
Product gpac
Weakness CWE-787
Published March 20, 2026
Last update March 20, 2026

CVSS base score

5.8/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H

What the vulnerability does

01Description

GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36.

Key dates

02Disclosure timeline

March 20, 2026 CVE published
March 20, 2026 Record updated