CVE-2026-9567

CVE Database · CVE-2026-9567

CVE-2026-9567

· LOWDeferred

CVSS v3.1

3.3

CVSS v4.0

1.9

EPSS

0.11%

Published

May 26, 2026

Modified

May 26, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A security flaw has been discovered in GPAC up to 2.4.0. Affected is the function MergeFragment of the file src/isomedia/isom_intern.c of the component MP4Box. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is identified as 525bf1af642c30af04e4df5345e6d798c0a4d8a1. It is advisable to implement a patch to correct this issue.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Weaknesses (CWE)

CWE-404CWE-476

References (7)

https://github.com/gpac/gpac/

https://github.com/gpac/gpac/issues/3549

https://github.com/makesoftwaresafe/gpac/commit/525bf1af642c30af04e4df5345e6d798c0a4d8a1

https://github.com/user-attachments/files/27196918/poc.zip

https://vuldb.com/submit/816075

https://vuldb.com/vuln/365629

https://vuldb.com/vuln/365629/cti

KEV Catalog EPSS Scores Vendors All CVEs