GPAC box_code_base.c sidx_box_read allocation of resources
Summary
| CVE | CVE-2026-8124 |
|---|---|
| State | PUBLISHED |
| Assigner | VulDB |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-08 02:16:08 UTC |
| Updated | 2026-05-08 02:16:08 UTC |
| Description | A security vulnerability has been detected in GPAC up to 26.02.0. This affects the function sidx_box_read of the file src/isomedia/box_code_base.c. The manipulation leads to allocation of resources. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The identifier of the patch is 442e2299530138d8f874fd885c565ba98a6318ba. It is suggested to install a patch to address this issue. |
Risk And Classification
Primary CVSS: v4.0 1.9 LOW from [email protected]
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-400 | CWE-770 | CWE-770 Allocation of Resources | CWE-400 Resource Consumption
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 1.9 | LOW | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/C... |
| 4.0 | CNA | DECLARED | 4.8 | MEDIUM | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P |
| 3.1 | [email protected] | Primary | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
| 3.1 | CNA | DECLARED | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C |
| 3.0 | CNA | DECLARED | 3.3 | LOW | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C |
| 2.0 | [email protected] | Secondary | 1.7 | AV:L/AC:L/Au:S/C:N/I:N/A:P | |
| 2.0 | CNA | DECLARED | 1.7 | AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C |
CVSS v4.0 Breakdown
Attack Vector
LocalAttack Complexity
LowAttack Requirements
NonePrivileges Required
LowUser Interaction
NoneConfidentiality
NoneIntegrity
NoneAvailability
LowSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
LowCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CVSS v3.0 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
LowCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| vuldb.com/submit/808611 | [email protected] | vuldb.com | |
| vuldb.com/vuln/361914/cti | [email protected] | vuldb.com | |
| github.com/gpac/gpac | [email protected] | github.com | |
| github.com/gpac/gpac/issues/3519 | [email protected] | github.com | |
| github.com/gpac/gpac/commit/442e2299530138d8f874fd885c565ba98a6318ba | [email protected] | github.com | |
| vuldb.com/vuln/361914 | [email protected] | vuldb.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Lucian-2333 (VulDB User) (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-05-07T00:00:00.000Z | Advisory disclosed |
| CNA | 2026-05-07T02:00:00.000Z | VulDB entry created |
| CNA | 2026-05-07T19:13:04.000Z | VulDB entry last update |
There are currently no legacy QID mappings associated with this CVE.