Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-13523

CVE-2026-13523: GPAC Buffer Overflow Vulnerability

CVE-2026-13523 is a buffer overflow vulnerability in GPAC's ISOBMFF Parser affecting versions up to 26.02.0. The flaw involves highly compressed data handling that can be exploited locally. This article covers technical details, affected versions, impact assessment, and available patches.

Published:

CVE-2026-13523 Overview

CVE-2026-13523 affects GPAC versions up to 26.02.0, a widely used open-source multimedia framework for MP4, MPEG-DASH, and ISOBMFF processing. The flaw resides in src/utils/base_encoding.c within the ISOBMFF Parser component. Processing crafted input can produce highly compressed data expansion, a classic zip bomb pattern mapped to [CWE-404] Improper Resource Shutdown or Release. Exploitation requires local access and low privileges. A public exploit exists, and the GPAC maintainers have released patch 297f2d8d1f493d8b241330533cd47f7da758aeb3 to bound zlib inflate output relative to input size.

Critical Impact

A local attacker can supply a crafted compressed stream that expands beyond safe multipliers, causing availability degradation of applications parsing untrusted GPAC media inputs.

Affected Products

  • GPAC multimedia framework versions up to and including 26.02.0
  • Applications and tooling embedding the GPAC ISOBMFF Parser
  • Downstream distributions packaging vulnerable GPAC builds

Discovery Timeline

  • 2026-06-29 - CVE-2026-13523 published to NVD
  • 2026-06-29 - Last updated in NVD database

Technical Details for CVE-2026-13523

Vulnerability Analysis

GPAC uses zlib to inflate compressed payloads embedded in ISOBMFF and related container formats. The parser did not enforce an upper bound on the ratio between compressed input and inflated output. An attacker supplies a small, highly compressible blob that expands into a much larger buffer during parsing. The result is resource exhaustion, degrading availability of the process handling the file. The vendor confirms the fix: "We added a check on inflate output size, if it surpasses 32 times the input size we stop in error."

Root Cause

The root cause is missing validation of the decompression ratio in zlib usage across GPAC modules including src/utils/base_encoding.c and src/filters/dmx_nhml.c. Without a multiplier check, inflate() continues writing to output buffers as long as memory allocation succeeds. This maps directly to [CWE-404] Improper Resource Shutdown or Release, where the parser fails to terminate decompression on abnormal expansion.

Attack Vector

Exploitation requires local delivery of a crafted GPAC-parseable file. The attacker needs low privileges and no user interaction beyond having the target invoke GPAC on the file. Impact is limited to availability of the parsing process. Confidentiality and integrity are not affected. A public proof-of-concept is referenced in GitHub Issue #3588.

c
// Security patch: include/gpac/setup.h
// Introduces bounded inflate multiplier to prevent zip bomb expansion
 #endif
 //! @endcond
 
+#ifndef GPAC_DISABLE_ZLIB
+#define ZLIB_INFLATE_MAX_MULTIPLIER 32
+#define ZLIB_COMPRESS_SAFE 4
+#endif
+
+
 #ifdef __cplusplus
 }
 #endif
// Source: https://github.com/gpac/gpac/commit/297f2d8d1f493d8b241330533cd47f7da758aeb3
c
// Security patch: src/filters/dmx_nhml.c
// Removes local ZLIB_COMPRESS_SAFE macro in favor of the centralized bound
 /*since 0.2.2, we use zlib for xmt/x3d reading to handle gz files*/
 #include <zlib.h>
 
-#define ZLIB_COMPRESS_SAFE	4
-
 static GF_Err compress_sample_data(GF_NHMLDmxCtx *ctx, u32 compress_type, char **dict, u32 offset)
 {
 	z_stream stream;
// Source: https://github.com/gpac/gpac/commit/297f2d8d1f493d8b241330533cd47f7da758aeb3

Detection Methods for CVE-2026-13523

Indicators of Compromise

  • GPAC processes (MP4Box, gpac, MP4Client) consuming disproportionate memory or CPU while parsing a small input file.
  • Media files whose inflated ISOBMFF sections exceed 32 times the compressed payload size.
  • Repeated process termination or out-of-memory events on hosts handling untrusted media.

Detection Strategies

  • Inventory GPAC installations and compare versions against 26.02.0 and later patched builds.
  • Monitor for zlib inflate() operations producing output-to-input ratios above safe thresholds in media pipelines.
  • Alert on abrupt memory growth in processes linked against libgpac when parsing user-supplied files.

Monitoring Recommendations

  • Track process resource ceilings (RSS, CPU time) for GPAC binaries in build farms and transcoding services.
  • Log and review crashes referencing base_encoding.c or NHML demuxer stack frames.
  • Correlate anomalous GPAC terminations with file provenance to identify malicious inputs.

How to Mitigate CVE-2026-13523

Immediate Actions Required

  • Upgrade GPAC to a release containing commit 297f2d8d1f493d8b241330533cd47f7da758aeb3 or later.
  • Restrict who can supply media files to GPAC-based tooling, particularly in shared or multi-tenant environments.
  • Run GPAC parsers under resource limits (ulimit, cgroups) to contain expansion attacks.

Patch Information

The fix is delivered in upstream commit 297f2d8d1f493d8b241330533cd47f7da758aeb3, merged via Pull Request #3589 in response to Issue #3588. The patch introduces ZLIB_INFLATE_MAX_MULTIPLIER 32 in include/gpac/setup.h and aborts inflate operations that exceed the ratio. Reference the VulDB advisory for tracking metadata.

Workarounds

  • Sandbox GPAC processing behind seccomp or containers with strict memory caps.
  • Pre-screen incoming media for anomalous compression ratios before invoking GPAC.
  • Disable zlib-dependent code paths by building GPAC with GPAC_DISABLE_ZLIB where compression support is not required.
bash
# Configuration example: build patched GPAC and enforce runtime memory limits
git clone https://github.com/gpac/gpac.git
cd gpac
git checkout 297f2d8d1f493d8b241330533cd47f7da758aeb3
./configure && make -j$(nproc) && sudo make install

# Run parsing jobs under a memory ceiling to contain zip bomb expansion
systemd-run --scope -p MemoryMax=512M -p CPUQuota=50% \
    MP4Box -info /path/to/untrusted.mp4

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.