CVE-2026-33144
- Source
- https://cve.org/CVERecord?id=CVE-2026-33144
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33144.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-33144
- Aliases
-
- GHSA-3jw5-9pmw-vmfg
- Downstream
- Published
- 2026-03-20T20:07:58.175Z
- Modified
- 2026-04-12T20:14:09.728815Z
- Severity
-
- 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H CVSS Calculator
- Summary
- GPAC MP4Box Heap Buffer Overflow Write in gf_xml_parse_bit_sequence_bs (NHML BS Parsing)
- Details
-
GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gfxmlparsebitsequencebs function in utils/xmlbin_custom.c when processing a crafted NHML file containing malicious <BS> (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-787" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33144.json" }- References
Affected packages
Git / github.com/gpac/gpac
Affected ranges
- Type
- GIT
- Repo
- https://github.com/gpac/gpac
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
abi-12
abi-13
abi-14
abi-15
abi-16
abi-12.*
abi-12.16
abi-12.17
abi-12.18
abi-12.19
abi-12.20
abi-12.21
abi-12.22
abi-12.23
abi-12.24
abi-12.25
abi-12.26
abi-12.27
abi-13.*
abi-13.0
abi-14.*
abi-14.0
abi-15.*
abi-15.0
abi-15.1
abi-15.2
abi-16.*
abi-16.2
abi-16.3
abi-16.4
abi-16.5
abi-16.6
testtag0.*
testtag0.1
v0.*
v0.5.2
v0.6.0
v0.9.0
v0.9.0-preview
v1.*
v1.0.0
v2.*
v2.0.0
v2.2.0
v26.*
v26.02.0
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33144.json"
vanir_signatures
[
{
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 12851.0,
"function_hash": "297745097757912774735723952795026710447"
},
"source": "https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72",
"target": {
"function": "nhmldmx_send_sample",
"file": "src/filters/dmx_nhml.c"
},
"id": "CVE-2026-33144-abc2c62a"
},
{
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"42079502082530779858342405201078927091",
"33891107814393948999681117771194806720",
"70543067064101358523799178869560581642",
"19613179692556639733946488636659210696",
"85345945110423490939946521520523743756",
"150966639538732160476117029100888966622",
"26586440119326341527156261185452628639"
],
"threshold": 0.9
},
"source": "https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72",
"target": {
"file": "src/utils/xml_bin_custom.c"
},
"id": "CVE-2026-33144-b3d32ec3"
},
{
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"127075050987779515672904370879474013587",
"258956059524958146139949368118315345806",
"225559437328368484651803344414367834754",
"187086453625554598803022697657942174111"
],
"threshold": 0.9
},
"source": "https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72",
"target": {
"file": "src/filters/dmx_nhml.c"
},
"id": "CVE-2026-33144-bde44eda"
},
{
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"digest": {
"length": 7261.0,
"function_hash": "127321648180269209432862047693823316841"
},
"source": "https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72",
"target": {
"function": "gf_xml_parse_bit_sequence_bs",
"file": "src/utils/xml_bin_custom.c"
},
"id": "CVE-2026-33144-f45e7ee2"
}
]
vanir_signatures_modified
"2026-04-12T20:14:09Z"