CVE-2026-33144
Published: 20 March 2026
Summary
CVE-2026-33144 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Gpac Gpac. Its CVSS base score is 5.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the heap buffer overflow by requiring timely remediation through updating GPAC to the fixed commit 86b0e36.
Implements memory protection mechanisms such as ASLR and non-executable heap to prevent exploitation of the heap-based buffer overflow even if unpatched.
Requires validation of NHML file inputs containing BitSequence elements to block malformed data that triggers the out-of-bounds write in gf_xml_parse_bit_sequence_bs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap overflow in MP4Box triggered by processing a crafted NHML file directly enables code execution via a malicious file that requires user interaction to open.
NVD Description
GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence)…
more
elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36.
Deeper analysisAI
CVE-2026-33144 is a heap-based buffer overflow (write) vulnerability (CWE-787) in the GPAC open-source multimedia framework, specifically affecting the MP4Box tool prior to commit 86b0e36. The flaw resides in the gf_xml_parse_bit_sequence_bs function within utils/xml_bin_custom.c, which mishandles crafted NHML files containing malicious <BS> (BitSequence) elements. Processing such a file triggers an out-of-bounds write on the heap.
The vulnerability carries a CVSS v3.1 base score of 5.8 (AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H), indicating exploitation requires local access, high attack complexity, no privileges, and user interaction. A local attacker could supply a specially crafted NHML file to a victim using MP4Box, potentially causing heap corruption. This may lead to limited confidentiality and integrity impacts alongside high availability disruption, such as application crashes or, in some cases, arbitrary code execution depending on heap layout and mitigations.
Mitigation is available via commit 86b0e36ea4c71402fbdaf7e13d73ba8841003e72, which addresses the issue in the GPAC repository. Additional details are provided in the GitHub Security Advisory GHSA-3jw5-9pmw-vmfg. Users should update to a version incorporating this commit and avoid processing untrusted NHML files with vulnerable MP4Box instances.
Details
- CWE(s)