CVE-2026-9567

NameCVE-2026-9567
DescriptionA security flaw has been discovered in GPAC up to 2.4.0. Affected is the function MergeFragment of the file src/isomedia/isom_intern.c of the component MP4Box. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is identified as 525bf1af642c30af04e4df5345e6d798c0a4d8a1. It is advisable to implement a patch to correct this issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gpac (PTS)bullseye (security), bullseye1.0.1+dfsg1-4+deb11u3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gpacsourcebullseye(unfixed)end-of-life
gpacsource(unstable)(unfixed)

Notes

[bullseye] - gpac <end-of-life> (EOLed in debian-security-support)
https://github.com/gpac/gpac/issues/3549
https://github.com/gpac/gpac/commit/525bf1af642c30af04e4df5345e6d798c0a4d8a1
Search for package or bug name: Reporting problems