CVE-2026-9567 Overview
CVE-2026-9567 is a null pointer dereference vulnerability in GPAC versions up to 2.4.0. The flaw resides in the MergeFragment function within src/isomedia/isom_intern.c, part of the MP4Box component. An attacker with local access can trigger the dereference by supplying a crafted MP4 input that contains a GF_ProtectionSystemHeaderBox with inconsistent private_data fields. The issue is tracked under [CWE-404] (Improper Resource Shutdown or Release) and a public proof-of-concept has been released. The upstream patch is identified by commit 525bf1af642c30af04e4df5345e6d798c0a4d8a1.
Critical Impact
Local attackers can crash MP4Box by feeding a malformed media container, causing a denial of service in automated media processing pipelines that ingest untrusted files.
Affected Products
- GPAC up to and including version 2.4.0
- GPAC MP4Box utility
- Applications embedding the GPAC libisomedia library
Discovery Timeline
- 2026-05-26 - CVE-2026-9567 published to NVD
- 2026-05-26 - Public proof-of-concept released via GitHub Issue #3549
- 2026-05-26 - Upstream patch committed as 525bf1af642c30af04e4df5345e6d798c0a4d8a1
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9567
Vulnerability Analysis
The defect lives in the MergeFragment routine that consolidates moof (Movie Fragment) boxes into the parent moov structure during ISO Base Media File Format processing. When the routine encounters a GF_ProtectionSystemHeaderBox (pssh), it copies private_data from the source box to the merged box. The pre-patch code reads private_data_size and calls memmove on private_data without first validating that the source pointer is non-null. Supplying a pssh box with a null private_data pointer or zero private_data_size triggers the dereference and aborts the process. The crash occurs entirely within the parsing path, so any tool that invokes MP4Box against untrusted input is exposed.
Root Cause
The root cause is missing input validation on a nested box field. The code assumed that any pssh box containing a KID_count would also carry valid private_data, an invariant that the MP4 specification does not enforce.
Attack Vector
Exploitation requires local access and the ability to provide a crafted MP4 file to a process invoking MP4Box or the GPAC libisomedia API. There is no remote network vector and no code execution outcome — only a process-level denial of service.
// Patch: src/isomedia/isom_intern.c - add nullguard in MergeFragment()
memmove(pssh->KIDs, ((GF_ProtectionSystemHeaderBox *)a)->KIDs, pssh->KID_count*sizeof(bin128));
}
- pssh->private_data_size = ((GF_ProtectionSystemHeaderBox *)a)->private_data_size;
- pssh->private_data = (u8 *)gf_malloc(pssh->private_data_size*sizeof(char));
- if (!pssh->private_data) return GF_OUT_OF_MEM;
- memmove(pssh->private_data, ((GF_ProtectionSystemHeaderBox *)a)->private_data, pssh->private_data_size);
+ if ( ((GF_ProtectionSystemHeaderBox *)a)->private_data && ((GF_ProtectionSystemHeaderBox *)a)->private_data_size ) {
+ pssh->private_data_size = ((GF_ProtectionSystemHeaderBox *)a)->private_data_size;
+ pssh->private_data = (u8 *)gf_malloc(pssh->private_data_size*sizeof(char));
+ if (!pssh->private_data) return GF_OUT_OF_MEM;
+ memmove(pssh->private_data, ((GF_ProtectionSystemHeaderBox *)a)->private_data, pssh->private_data_size);
+ }
pssh->moof_defined = 1;
mov->has_pssh_moof = GF_TRUE;
// Source: https://github.com/makesoftwaresafe/gpac/commit/525bf1af642c30af04e4df5345e6d798c0a4d8a1
Detection Methods for CVE-2026-9567
Indicators of Compromise
- Unexpected crashes or SIGSEGV terminations of MP4Box processes during media ingestion.
- Core dump files referencing MergeFragment or isom_intern.c in the call stack.
- MP4 files containing pssh boxes with zero-length or absent private_data fields.
Detection Strategies
- Statically inspect deployed GPAC binaries for versions at or below 2.4.0 and flag systems missing commit 525bf1af642c30af04e4df5345e6d798c0a4d8a1.
- Run candidate MP4 inputs through a sandboxed MP4Box invocation and alert on non-zero exit codes or signal terminations.
- Compare hashes of installed GPAC libraries against patched distribution packages.
Monitoring Recommendations
- Forward process termination and crash telemetry from media transcoding hosts to a central log store for review.
- Track invocations of MP4Box against files originating from untrusted upload paths or shared filesystems.
- Alert on repeated parser crashes that target the same user or upload source, which can indicate active probing.
How to Mitigate CVE-2026-9567
Immediate Actions Required
- Upgrade GPAC to a build that includes commit 525bf1af642c30af04e4df5345e6d798c0a4d8a1 from the GPAC repository.
- Inventory hosts running MP4Box and rebuild any locally compiled installations against the patched source.
- Restrict execution of MP4Box to trusted accounts on multi-user systems until patching is complete.
Patch Information
The fix adds a guard that only copies private_data when both the source pointer and size are non-zero. The patch is available in commit 525bf1af642c30af04e4df5345e6d798c0a4d8a1 and resolves GitHub Issue #3549.
Workarounds
- Run MP4Box inside a sandbox or container with restricted privileges so a crash cannot affect adjacent workloads.
- Pre-validate MP4 inputs with a separate parser that rejects malformed pssh boxes before they reach GPAC.
- Disable processing of DRM-protected fragmented MP4 inputs on systems that do not require them.
# Verify installed GPAC version and patch presence
MP4Box -version 2>&1 | head -n 2
# Rebuild GPAC from the patched source
git clone https://github.com/gpac/gpac.git
cd gpac
git fetch origin
git checkout 525bf1af642c30af04e4df5345e6d798c0a4d8a1
./configure --static-bin
make -j"$(nproc)"
sudo make install
# Restrict MP4Box execution to a dedicated low-privilege user
sudo chown root:mediaproc /usr/local/bin/MP4Box
sudo chmod 750 /usr/local/bin/MP4Box
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
