CVE-2026-9572 GPAC CVE debrief

Who should care

Organizations running GPAC/MP4Box in multi-user environments; media processing pipelines with local file ingestion; security teams monitoring for memory exhaustion attacks in multimedia processing applications

Technical summary

The Media_GetSample function in src/isomedia/media.c fails to properly release memory when processing certain MP4 file inputs through the 'cat' argument manipulation. This results in memory leak conditions that can degrade system availability over time. The vulnerability is exploitable only from local environments with low privileges, limiting its practical attack surface. The CVSS 4.0 score of 1.9 (LOW) reflects the constrained attack vector and limited impact scope. Public exploit availability increases priority for patching in environments where untrusted local users may access MP4Box functionality.

Defensive priority

low

Recommended defensive actions

• Apply the available patch (commit e79c5cbe8b3fed27f4854ec229457d30c96206f1) to GPAC installations
• Upgrade to GPAC version 2.4.0 or later once patched
• Restrict local access to MP4Box processing on multi-user systems
• Monitor for unusual memory consumption patterns in MP4Box operations
• Review and validate MP4 file inputs before processing

Evidence notes

CVSS 4.0 vector confirms local attack vector (AV:L), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), with availability impact (VA:L). The vulnerability is classified under CWE-401 (Missing Release of Memory after Effective Lifetime) and CWE-404 (Improper Resource Shutdown or Release). The source indicates the exploit has been publicly disclosed.

Official resources