CVE-2026-1418

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-1418
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1418.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-1418
Downstream
Published
2026-01-26T04:16:10.360Z
Modified
2026-03-15T22:52:39.055210Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A security vulnerability has been detected in GPAC up to 2.4.0. This affects the function gftextimportsrtbifs of the file src/scenemanager/textto_bifs.c of the component SRT Subtitle Import. Such manipulation leads to out-of-bounds write. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 10c73b82cf0e367383d091db38566a0e4fe71772. It is best practice to apply a patch to resolve this issue.

References

Affected packages

Git / github.com/enocknt/gpac

Affected ranges

Type
GIT
Repo
https://github.com/enocknt/gpac
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
10c73b82cf0e367383d091db38566a0e4fe71772
Type
GIT
Repo
https://github.com/gpac/gpac
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
5d70253ac94e5840be7b86054131dd753af63cc7
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.4.0"
        }
    ]
}

Affected versions

v0.*
v0.5.2
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.8.0
v0.9.0
v0.9.0-preview
v1.*
v1.0.0
v1.0.1
v2.*
v2.0.0
v2.2.0
v2.4.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1418.json"
vanir_signatures 
[
    {
        "source": "https://github.com/enocknt/gpac/commit/10c73b82cf0e367383d091db38566a0e4fe71772",
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2026-1418-1ecea719",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "164133487273732179464342031336877152296",
                "123958394479058412918963484534876146673",
                "34578872196006803723457937092369670292",
                "140927955535974989331683746887673884548",
                "317157303824313245158862758293231027863",
                "258337157534838928770410599318726408351",
                "120725769967968779536391103172270310834",
                "277087999642364188165715428523635935681",
                "147288800158252847652907863940433819508",
                "309337179551568124689556149450675603133",
                "143871459471587378667328483894626070658",
                "220486623369316946822587351195327435276",
                "76775731927034068820951860109085703271",
                "171495385489447948522805668021412554885",
                "213779776148613669428368583714061612719",
                "237285379177315265828531722325376280815",
                "281922440338218557975161993223800083503",
                "7085135403327497539084875820770780720",
                "56817577590426009275963741510078646103",
                "81088448747152386828525059952693813454",
                "307062177988182664767322279584209255188",
                "60718172570242600004086152963095184346",
                "317712987852311218529334066833034081790",
                "293627422917990316014751689125350704627",
                "103950808797060975100190081328592966507",
                "139446239893207472187093082919311709082",
                "189323801346604450431259698217608773614",
                "42291509452047420139479397893697782503",
                "200009568168289145192776051211319493580",
                "37549783632565201788686470643110486649",
                "44173013905348977223392124857744092377",
                "126616419081034722117193619835861287194",
                "197437614916863985023292346281890052903",
                "99587432701339705042874216850790474028",
                "186198311794110556629283899244246465901",
                "147288800158252847652907863940433819508",
                "309337179551568124689556149450675603133",
                "143871459471587378667328483894626070658",
                "220486623369316946822587351195327435276",
                "61580891069826271582181195409170396307",
                "205190313709827241250057011654175153431",
                "290930906419981101701196983217624286963",
                "108122831179226391240121966788902621796",
                "231086037452361190883801589422807026556",
                "217242492728433384584189196411765885656",
                "202029841477779827507192203690207490987",
                "339294206881857759698199126404604290049",
                "168521345449109509660510419431224328974",
                "273397860653587171365182413479430873502",
                "282178157948729777012953228809919848939"
            ]
        },
        "signature_type": "Line",
        "target": {
            "file": "src/scene_manager/text_to_bifs.c"
        }
    },
    {
        "source": "https://github.com/enocknt/gpac/commit/10c73b82cf0e367383d091db38566a0e4fe71772",
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2026-1418-b37b1a8e",
        "digest": {
            "length": 7168.0,
            "function_hash": "75468771887554725939229209367886652941"
        },
        "signature_type": "Function",
        "target": {
            "file": "src/scene_manager/text_to_bifs.c",
            "function": "gf_text_import_srt_bifs"
        }
    }
]