CVE-2026-9572
Description
A security vulnerability has been detected in GPAC up to 2.4.0. Affected by this issue is the function Media_GetSample of the file src/isomedia/media.c of the component MP4Box. Such manipulation of the argument cat leads to memory leak. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The name of the patch is e79c5cbe8b3fed27f4854ec229457d30c96206f1. It is best practice to apply a patch to resolve this issue.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Debian Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| bullseye | Affected | โ |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| gpac | gpac | {"endIncluding":"2.4.0"} | |
References
- https://github.com/gpac/gpac/
- https://github.com/gpac/gpac/commit/e79c5cbe8b3fed27f4854ec229457d30c96206f1
- https://github.com/gpac/gpac/issues/3557
- https://github.com/user-attachments/files/27270415/poc.zip
- https://vuldb.com/submit/817137
- https://vuldb.com/vuln/365631
- https://vuldb.com/vuln/365631/cti
- https://security-tracker.debian.org/tracker/CVE-2026-9572
CWEs
CWE-401 CWE-404
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.