CVE-2026-14801 Overview
CVE-2026-14801 is a divide-by-zero vulnerability [CWE-369] in GPAC version 26.03-DEV-rev342-g80071f700-master. The flaw resides in the txtin_probe_duration function within src/filters/load_text.c, part of the TeXML File Handler component. Manipulating the txml_timescale argument to zero triggers an arithmetic exception during duration calculation. The vulnerability requires local access and low-privileged authentication to exploit.
Critical Impact
Local attackers can trigger a divide-by-zero condition in GPAC's TeXML processing path, causing the application to crash and resulting in a denial-of-service condition when handling crafted media inputs.
Affected Products
- GPAC 26.03-DEV-rev342-g80071f700-master
- Component: TeXML File Handler (src/filters/load_text.c)
- Function: txtin_probe_duration
Discovery Timeline
- 2026-07-06 - CVE-2026-14801 published to NVD
- 2026-07-06 - Patch commit 86a5191f2e750c767253e27ed6cfd6d547afebc2 merged to GPAC repository
- 2026-07-06 - Last updated in NVD database
Technical Details for CVE-2026-14801
Vulnerability Analysis
The vulnerability exists in GPAC's text input filter, specifically the TeXML duration probing logic. When GPAC parses a TeXML file, the txtin_probe_duration function computes track duration by dividing a scaled integer value by the txml_timescale context field. If txml_timescale is zero (either uninitialized or set from attacker-controlled input), the division operation triggers a hardware exception (SIGFPE on POSIX systems). This terminates the process abruptly.
The defect is categorized under [CWE-369] Divide By Zero. Impact is limited to availability of the GPAC process, with no confidentiality or integrity implications. The exploitation prerequisite is local access, which reduces the attack surface for exposed services.
Root Cause
The root cause is missing input validation on the txml_timescale value prior to its use as a divisor. The original code performed (1000 * duration) / ctx->txml_timescale without verifying a non-zero denominator. Any code path that leaves txml_timescale at zero, including malformed or minimal TeXML inputs, reaches the faulty arithmetic expression.
Attack Vector
An attacker with local access supplies a crafted TeXML file to a GPAC-based workflow or tool. When GPAC probes the file duration, the divide-by-zero triggers. This is particularly relevant to build pipelines, fuzzing harnesses, and multimedia processing services that ingest untrusted files locally.
// Patch fix in src/filters/load_text.c
// Guards the divisor with a fallback to 1 when txml_timescale is zero
} else {
if (strcmp(att->name, "duration")) continue;
duration = atoi(att->value);
- dur.num += (s32) ( (1000 * duration) / ctx->txml_timescale);
+ dur.num += (s32) ( (1000 * duration) / (ctx->txml_timescale ? ctx->txml_timescale : 1) );
}
}
}
// Source: https://github.com/gpac/gpac/commit/86a5191f2e750c767253e27ed6cfd6d547afebc2
The companion fix in src/isomedia/isom_read.c adds null checks on track and media structures to harden the ISO base media file format parser against related memory corruption during fuzzing:
movie->moov->compressed_diff = 0;
for (i=0; i<gf_list_count(movie->moov->trackList); i++) {
GF_TrackBox *trak = (GF_TrackBox*)gf_list_get(movie->moov->trackList, i);
+ if (!trak) continue;
trak->first_traf_merged = GF_FALSE;
+ if (!trak->Media || !trak->Media->information) continue;
if (trak->Media->information->dataHandler == movie->movieFileMap) {
trak->Media->information->dataHandler = NULL;
}
// Source: https://github.com/gpac/gpac/commit/86a5191f2e750c767253e27ed6cfd6d547afebc2
Detection Methods for CVE-2026-14801
Indicators of Compromise
- Unexpected termination of gpac, MP4Box, or MP4Client processes with SIGFPE (signal 8) exit status.
- Core dumps referencing txtin_probe_duration in load_text.c within the GPAC binary.
- Presence of TeXML input files with missing, zero, or malformed timescale attributes in ingestion queues.
Detection Strategies
- Monitor host telemetry for abnormal process exits from GPAC binaries and correlate with recent file inputs.
- Fuzz TeXML parsing paths using instrumented builds (AddressSanitizer, UBSan) to surface divide-by-zero events during pre-production validation.
- Compare deployed GPAC binaries against commit 86a5191f2e750c767253e27ed6cfd6d547afebc2 to identify unpatched builds.
Monitoring Recommendations
- Track file inputs to GPAC processing pipelines and flag repeated crashes tied to the same source or user.
- Alert on TeXML files delivered through untrusted channels, particularly in shared multimedia processing environments.
- Retain crash dumps and stack traces for post-incident analysis of arithmetic exceptions in media parsers.
How to Mitigate CVE-2026-14801
Immediate Actions Required
- Rebuild GPAC from source at or after commit 86a5191f2e750c767253e27ed6cfd6d547afebc2 in the GPAC GitHub repository.
- Restrict local user access to systems running GPAC utilities on untrusted inputs.
- Isolate GPAC-based media processing in sandboxed or containerized environments with restart policies to contain crashes.
Patch Information
The upstream fix is committed as 86a5191f2e750c767253e27ed6cfd6d547afebc2 in the GPAC repository. The patch guards the divisor with a ternary check, substituting 1 when txml_timescale is zero. Additional hardening in isom_read.c adds null pointer checks on track and media structures. Detailed references are available in the GPAC commit details, GitHub Issue #3610, and the VulDB entry for CVE-2026-14801.
Workarounds
- Avoid processing untrusted TeXML files with unpatched GPAC builds until the fix is applied.
- Wrap GPAC invocations with process supervisors that restart on SIGFPE and log offending inputs for review.
- Apply the one-line source patch directly to src/filters/load_text.c if a full upgrade is not immediately feasible.
# Apply the upstream patch and rebuild GPAC
git clone https://github.com/gpac/gpac.git
cd gpac
git checkout 86a5191f2e750c767253e27ed6cfd6d547afebc2
./configure
make -j$(nproc)
sudo make install
# Verify the patched binary
MP4Box -version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

