CVE-2026-27821
Published: 26 February 2026
Summary
CVE-2026-27821 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Gpac Gpac. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the stack buffer overflow by requiring timely patching of GPAC to incorporate the fix from commit 9bd7137fded2db40de61a2cf3045812c8741ec52.
Requires validation of NHML XML attribute lengths, such as xmlHeaderEnd, to prevent oversized inputs from overflowing the fixed-size szXmlHeaderEnd[1000] stack buffer.
Provides memory protections like stack canaries, ASLR, and DEP to hinder exploitation of the stack buffer overflow for arbitrary code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack buffer overflow in local NHML file parser enables arbitrary code execution when victim opens crafted file (T1204.002), directly constituting client-side exploitation (T1203).
NVD Description
GPAC is an open-source multimedia framework. In versions up to and including 26.02.0, a stack buffer overflow occurs during NHML file parsing in `src/filters/dmx_nhml.c`. The value of the xmlHeaderEnd XML attribute is copied from att->value into szXmlHeaderEnd[1000] using strcpy() without…
more
any length validation. If the input exceeds 1000 bytes, it overwrites beyond the stack buffer boundary. Commit 9bd7137fded2db40de61a2cf3045812c8741ec52 patches the issue.
Deeper analysisAI
CVE-2026-27821 is a stack buffer overflow vulnerability (CWE-121) in the GPAC open-source multimedia framework, affecting versions up to and including 26.02.0. The flaw occurs in the NHML file parser located at src/filters/dmx_nhml.c, where the value of the xmlHeaderEnd XML attribute from att->value is copied via strcpy() into the fixed-size stack buffer szXmlHeaderEnd[1000] without any bounds checking. Inputs longer than 1000 bytes overwrite memory beyond the buffer boundary, as scored at CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
An attacker with local access can exploit this vulnerability with low complexity and no required privileges, but it necessitates user interaction, such as convincing a user to open or process a specially crafted malicious NHML file using GPAC. Successful exploitation enables high-impact outcomes, including arbitrary code execution with potential for full confidentiality, integrity, and availability compromise on the affected system.
Mitigation is provided by commit 9bd7137fded2db40de61a2cf3045812c8741ec52, which addresses the buffer overflow. Security advisories, including GHSA-q7qh-8r2r-q559 on the GPAC GitHub repository, recommend updating to a patched version of GPAC that incorporates this fix.
Details
- CWE(s)