CVE-2026-8124 Overview
CVE-2026-8124 is a resource allocation vulnerability in GPAC, an open-source multimedia framework used for packaging, streaming, and playing MP4/MPEG-4 content. The flaw resides in the sidx_box_read function within src/isomedia/box_code_base.c and allows an attacker to trigger uncontrolled memory allocation when parsing a crafted ISO Base Media File Format container. Exploitation requires local access and low privileges. The issue is classified under CWE-400: Uncontrolled Resource Consumption. A patch identified by commit 442e2299530138d8f874fd885c565ba98a6318ba is available upstream.
Critical Impact
A local attacker can supply a malformed segment index (sidx) box that forces GPAC to allocate excessive memory, leading to denial of service of the media parsing process.
Affected Products
- GPAC up to and including version 26.02.0
- Applications and tooling embedding the GPAC libgpac ISO media parser
- Build pipelines that process untrusted MP4/ISOBMFF input with vulnerable GPAC binaries
Discovery Timeline
- 2026-05-08 - CVE-2026-8124 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-8124
Vulnerability Analysis
The vulnerability exists in the segment index box (sidx) parser used by GPAC to read fragmented MP4 metadata. The function sidx_box_read reads a 16-bit nb_refs field directly from the input stream and then calls gf_malloc(sizeof(GF_SIDXReference) * ptr->nb_refs) without validating that the declared reference count is consistent with the remaining box size. A crafted file can advertise an nb_refs value far larger than the actual payload, causing the parser to request a large contiguous allocation. The condition aligns with [CWE-400], where untrusted input controls a resource sizing decision.
Root Cause
The root cause is missing bounds validation between the attacker-controlled nb_refs counter and the size of the containing box. A secondary defect in the same patch corrects an operator precedence bug in gf_malloc(pSize+1 * sizeof(char)), which under-allocated due to multiplication binding tighter than addition.
Attack Vector
The attack requires local delivery of a malicious media file to a user or service that invokes GPAC tooling such as MP4Box. No network reachability is needed. Successful exploitation degrades availability of the parsing process but does not compromise confidentiality or integrity.
// Patched validation added to sidx_box_read in src/isomedia/box_code_base.c
gf_bs_read_u16(bs); /* reserved */
ptr->nb_refs = gf_bs_read_u16(bs);
if ((u64)ptr->nb_refs > ptr->size / 12 || (u64)ptr->nb_refs > (u64)SIZE_MAX / sizeof(GF_SIDXReference)) {
GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of references %u in sidx\n", ptr->nb_refs));
return GF_ISOM_INVALID_FILE;
}
ptr->refs = gf_malloc(sizeof(GF_SIDXReference)*ptr->nb_refs);
if (!ptr->refs) return GF_OUT_OF_MEM;
for (i=0; i<ptr->nb_refs; i++) {
Source: GPAC commit 442e2299. The patch enforces that nb_refs cannot exceed ptr->size / 12 (the minimum on-disk size of each reference entry) and cannot overflow SIZE_MAX when multiplied by sizeof(GF_SIDXReference).
Detection Methods for CVE-2026-8124
Indicators of Compromise
- Abnormal memory consumption or out-of-memory termination of MP4Box, gpac, or any process linked against libgpac while parsing user-supplied media.
- Crash dumps referencing sidx_box_read or gf_malloc call frames inside box_code_base.c.
- Unexpected GF_OUT_OF_MEM errors logged by media ingestion pipelines after consuming untrusted MP4/ISOBMFF inputs.
Detection Strategies
- Inventory hosts and container images that ship GPAC binaries at version 26.02.0 or earlier using software composition analysis.
- Inspect ISOBMFF inputs for sidx boxes whose declared reference_count is inconsistent with the box length field.
- Hash-compare deployed libgpac shared objects against builds that include commit 442e2299530138d8f874fd885c565ba98a6318ba.
Monitoring Recommendations
- Enable resource limits (ulimit -v, cgroup memory caps) on media transcoding workers and alert on OOM kills.
- Forward stderr from GPAC tooling to centralized logging and alert on [iso file] Invalid number of references messages introduced by the patch.
- Track process-level RSS spikes correlated with media file ingestion events in your SIEM.
How to Mitigate CVE-2026-8124
Immediate Actions Required
- Upgrade GPAC to a build that includes commit 442e2299530138d8f874fd885c565ba98a6318ba or a tagged release published after 26.02.0.
- Restrict execution of GPAC utilities to trusted users and avoid running them against attacker-supplied files with elevated privileges.
- Sandbox media parsing workloads using seccomp, AppArmor, or container memory limits to contain allocation abuse.
Patch Information
The fix is available in the upstream repository at GPAC commit 442e2299530138d8f874fd885c565ba98a6318ba. Additional context is tracked in GPAC GitHub Issue #3519. Rebuild any statically linked tooling or distribution packages that vendor libgpac after applying the patch.
Workarounds
- Do not process untrusted MP4, DASH, or fragmented ISOBMFF files with vulnerable GPAC versions.
- Run GPAC tools under a constrained memory cgroup so that excessive allocations terminate the process without affecting the host.
- Pre-validate input media with a hardened parser before handing files to GPAC for muxing or analysis.
# Build the patched GPAC from source
git clone https://github.com/gpac/gpac.git
cd gpac
git checkout 442e2299530138d8f874fd885c565ba98a6318ba
./configure --static-bin
make -j$(nproc)
sudo make install
# Constrain runtime memory for media parsing jobs
systemd-run --scope -p MemoryMax=512M MP4Box -info /path/to/input.mp4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
