Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-50810

CVE-2026-50810: GPAC NULL Pointer Dereference DOS Vuln

CVE-2026-50810 is a NULL pointer dereference denial of service vulnerability in GPAC's mpd.c file that allows attackers to crash the application. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2026-50810 Overview

CVE-2026-50810 is a NULL pointer dereference vulnerability in the smooth_parse_stream_index() function located in src/media_tools/mpd.c within the GPAC multimedia framework. The flaw affects GPAC master HEAD before commit b35c61f104b85fbb16520ac2838d5d2ef70845b5. Attackers can trigger the dereference by supplying a crafted Smooth Streaming manifest, causing the process to crash and resulting in a denial of service. The issue was identified via fuzzing and tracked as GPAC issue #3507.

Critical Impact

Processing a malformed Smooth Streaming manifest causes GPAC to dereference NULL pointers within nested segment_template structures, crashing any application or pipeline that parses untrusted media input.

Affected Products

  • GPAC multimedia framework (master branch)
  • Builds prior to commit b35c61f104b85fbb16520ac2838d5d2ef70845b5
  • Applications and services embedding vulnerable GPAC MPD parsing code

Discovery Timeline

  • 2026-07-07 - CVE-2026-50810 published to NVD
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2026-50810

Vulnerability Analysis

The defect resides in smooth_parse_stream_index(), which parses Microsoft Smooth Streaming manifests and converts them into GPAC's internal MPEG-DASH Media Presentation Description (MPD) representation. When the parser encounters a child element named c (chunk element), it invokes smooth_parse_chunk() and passes set->segment_template->segment_timeline->entries without verifying that each intermediate pointer is non-NULL. A malformed input document that omits or misorders the parent SegmentTemplate or SegmentTimeline elements leaves those pointers unset, producing a NULL pointer dereference [CWE-476].

Root Cause

The parser assumes structural invariants of a well-formed Smooth Streaming manifest and skips defensive validation before traversing nested fields. Because the manifest is attacker-controlled, any missing intermediate object breaks the assumption and causes an immediate crash when the code reads through the NULL chain. Fuzzing exposed the missing guard.

Attack Vector

An attacker delivers a crafted Smooth Streaming manifest to any application that uses GPAC to parse MPD or Smooth Streaming input. This can occur through media playback tools, transcoding pipelines, or web services that ingest user-supplied manifests. Successful exploitation terminates the process, disrupting streaming, ingestion, or automated media workflows.

c
 		if (!strcmp(child->name, "QualityLevel")) {
 			smooth_parse_quality_level(mpd, set->representations, child, timescale);
 		}
-		if (!strcmp(child->name, "c")) {
+		if (!strcmp(child->name, "c") && child && set && set->segment_template && set->segment_template->segment_timeline && set->segment_template->segment_timeline->entries) {
 			smooth_parse_chunk(mpd, set->segment_template->segment_timeline->entries, child);
 		}
 	}
// Source: https://github.com/gpac/gpac/commit/b35c61f104b85fbb16520ac2838d5d2ef70845b5

The patch adds explicit NULL guards for child, set, set->segment_template, set->segment_timeline, and entries before invoking smooth_parse_chunk().

Detection Methods for CVE-2026-50810

Indicators of Compromise

  • Unexpected termination or segmentation faults of MP4Box, gpac, or applications linked against libgpac while processing Smooth Streaming manifests.
  • Core dumps referencing smooth_parse_stream_index or smooth_parse_chunk frames.
  • Repeated ingestion failures in media pipelines triggered by manifests missing SegmentTemplate or SegmentTimeline elements.

Detection Strategies

  • Inspect Smooth Streaming manifests for missing or malformed SegmentTemplate/SegmentTimeline nodes accompanied by c child elements.
  • Run affected binaries under a fuzzing harness or AddressSanitizer to reproduce the NULL dereference on suspect inputs.
  • Correlate GPAC crash events with the source manifest and originating client to identify malicious submitters.

Monitoring Recommendations

  • Alert on abnormal exit codes or crash signals from processes invoking GPAC libraries.
  • Log manifest URLs, hashes, and submitting identities for any file passed to GPAC parsing components.
  • Track version and build hashes of deployed GPAC binaries to confirm patch coverage.

How to Mitigate CVE-2026-50810

Immediate Actions Required

  • Rebuild GPAC from a source tree that includes commit b35c61f104b85fbb16520ac2838d5d2ef70845b5 or later.
  • Restrict Smooth Streaming manifest ingestion to trusted sources until the patched build is deployed.
  • Isolate GPAC parsing workloads in sandboxed or containerized environments to contain crash impact.

Patch Information

The upstream fix is available in the GPAC commit b35c61f, which adds NULL guards in smooth_parse_stream_index() before calling smooth_parse_chunk(). Additional context is available in the GPAC issue #3507 discussion and the fuzzing reference gist.

Workarounds

  • Validate incoming Smooth Streaming manifests against a schema before handing them to GPAC.
  • Wrap GPAC invocations with process supervisors that restart on crash to minimize service downtime.
  • Disable Smooth Streaming input paths where the feature is not required by the application.
bash
# Rebuild GPAC with the upstream fix
git clone https://github.com/gpac/gpac.git
cd gpac
git checkout b35c61f104b85fbb16520ac2838d5d2ef70845b5
./configure && make -j$(nproc)
sudo make install

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.