PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9567 GPAC CVE debrief

A null pointer dereference vulnerability exists in GPAC up to version 2.4.0, specifically within the MergeFragment function in src/isomedia/isom_intern.c. The issue affects the MP4Box component and can be triggered through local manipulation. The vulnerability has been assigned a CVSS 4.0 score of 1.9 (LOW severity) with an attack vector of local access, low attack complexity, and low availability impact. A proof-of-concept exploit has been publicly released, increasing the risk of exploitation. The vulnerability was published on 2026-05-26 and last modified on 2026-05-26. The weakness classifications include CWE-404 (Improper Resource Shutdown or Release) and CWE-476 (NULL Pointer Dereference). A patch is available via commit 525bf1af642c30af04e4df5345e6d798c0a4d8a1.

Vendor
GPAC
Product
MP4Box
CVSS
LOW 1.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-26
Advisory published
2026-05-26
Advisory updated
2026-05-26

Who should care

Organizations using GPAC for MP4 media processing, particularly those allowing local user access to MP4Box functionality. System administrators maintaining GPAC installations should prioritize patching to prevent potential denial-of-service conditions from local attacks.

Technical summary

The MergeFragment function in src/isomedia/isom_intern.c of GPAC's MP4Box component fails to properly handle null pointer conditions, resulting in a null pointer dereference. The vulnerability requires local access to exploit and primarily impacts availability. The attack complexity is low, and a public proof-of-concept has been released, though the local attack vector and low severity limit widespread exploitation risk.

Defensive priority

low

Recommended defensive actions

  • Apply the patch from commit 525bf1af642c30af04e4df5345e6d798c0a4d8a1 to GPAC installations
  • Upgrade to GPAC version containing the fix when available
  • Restrict local access to MP4Box processing on affected systems
  • Monitor for suspicious local activity involving MP4Box file processing
  • Review GPAC issue #3549 for additional technical context

Evidence notes

Vulnerability disclosed via VulDB and NVD. Proof-of-concept exploit publicly available. Patch commit identified and linked.

Official resources

public