CVE-2026-1415

EUVD-2026-4695

26.01.2026, 03:15

A vulnerability was identified in GPAC up to 2.4.0. Affected is the function gf_media_export_webvtt_metadata of the file src/media_tools/media_export.c. The manipulation of the argument Name leads to null pointer dereference. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is af951b892dfbaaa38336ba2eba6d6a42c25810fd. To fix this issue, it is recommended to deploy a patch.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.3 LOW	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
VulDB	CNA	3.3 LOW				CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Affected Products (NVD)

Vendor	Product	Version
gpac	gpac	𝑥 ≤ 2.4.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

gpac

bullseye	vulnerable
bullseye (security)	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

gpac

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	dne
trusty	needs-triage
xenial	needs-triage

Known Exploits!

Common Weakness Enumeration

References

https://github.com/enocknt/gpac/commit/af951b892dfbaaa38336ba2eba6d6a42c25810fd

https://github.com/gpac/gpac/issues/3428

https://github.com/gpac/gpac/issues/3428#issue-3802223345

https://vuldb.com/?ctiid.342804

https://vuldb.com/?id.342804

https://vuldb.com/?submit.736541