CVE-2026-4016

EUVD-2026-11551

12.03.2026, 09:15

A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this vulnerability is the function svgin_process of the file src/filters/load_svg.c of the component SVG Parser. The manipulation leads to out-of-bounds write. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The identifier of the patch is 7618d7206cdeb3c28961dc97ab0ecabaff0c8af2. It is suggested to install a patch to address this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
VulDB	CNA	5.3 MEDIUM				CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

gpac

bullseye	vulnerable
bullseye (security)	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

gpac

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	dne
trusty	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

https://github.com/gpac/gpac/

https://github.com/gpac/gpac/commit/7618d7206cdeb3c28961dc97ab0ecabaff0c8af2

https://github.com/gpac/gpac/issues/3468

https://github.com/user-attachments/files/25494042/poc_dims_oob.py

https://vuldb.com/?ctiid.350538

https://vuldb.com/?id.350538

https://vuldb.com/?submit.769798