Nixpkgs security tracker

Login with GitHub

Suggestions search

With package: gpac-unstable

Found 11 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-15185
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 16 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 references
  • @LeSuisse ignored
    32 packages
    • msgpack-cxx
    • msgpack-c
    • msgpack-tools
    • rubyPackages.msgpack
    • phpExtensions.msgpack
    • haskellPackages.msgpack
    • perlPackages.MsgPackRaw
    • php82Extensions.msgpack
    • php83Extensions.msgpack
    • php84Extensions.msgpack
    • php85Extensions.msgpack
    • luaPackages.lua-cmsgpack
    • perl5Packages.MsgPackRaw
    • rubyPackages_3_3.msgpack
    • rubyPackages_3_4.msgpack
    • rubyPackages_4_0.msgpack
    • python313Packages.msgpack
    • python314Packages.msgpack
    • lua51Packages.lua-cmsgpack
    • lua52Packages.lua-cmsgpack
    • lua53Packages.lua-cmsgpack
    • lua54Packages.lua-cmsgpack
    • lua55Packages.lua-cmsgpack
    • python313Packages.ormsgpack
    • python314Packages.ormsgpack
    • haskellPackages.data-msgpack
    • python313Packages.msgpack-numpy
    • python314Packages.msgpack-numpy
    • haskellPackages.data-msgpack-types
    • python313Packages.u-msgpack-python
    • python314Packages.u-msgpack-python
    • chickenPackages_5.chickenEggs.msgpack
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
GPAC MP4Box vobsub.c vobsub_read_idx out-of-bounds

A vulnerability was determined in GPAC 26.03-DEV. This affects the function vobsub_read_idx of the file /src/media_tools/vobsub.c of the component MP4Box. Executing a manipulation of the argument num_langs can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called 532097084729a936bcdf6a27c41003f3bd7dc3ff. It is best practice to apply a patch to resolve this issue. Two different commits were applied to fix this issue.

Affected products

GPAC
  • ==26.03-DEV

Matching in nixpkgs

pkgs.gpac

Open Source multimedia framework for research and academic purposes

Ignored packages (32)

pkgs.msgpack-tools

Command-line tools for converting between MessagePack and JSON

  • nixos-unstable 0.6
    • nixpkgs-unstable 0.6
    • nixos-unstable-small 0.6
  • nixos-26.05 0.6
    • nixos-26.05-small 0.6
    • nixpkgs-26.05-darwin 0.6

Package maintainers

Published
Permalink CVE-2026-14790
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 3 days, 22 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored package msgpack-c
  • @LeSuisse ignored
    4 references
  • @LeSuisse ignored
    31 packages
    • msgpack-cxx
    • msgpack-tools
    • rubyPackages.msgpack
    • phpExtensions.msgpack
    • haskellPackages.msgpack
    • perlPackages.MsgPackRaw
    • php82Extensions.msgpack
    • php83Extensions.msgpack
    • php84Extensions.msgpack
    • php85Extensions.msgpack
    • luaPackages.lua-cmsgpack
    • perl5Packages.MsgPackRaw
    • rubyPackages_3_3.msgpack
    • rubyPackages_3_4.msgpack
    • rubyPackages_4_0.msgpack
    • python313Packages.msgpack
    • python314Packages.msgpack
    • lua51Packages.lua-cmsgpack
    • lua52Packages.lua-cmsgpack
    • lua53Packages.lua-cmsgpack
    • lua54Packages.lua-cmsgpack
    • lua55Packages.lua-cmsgpack
    • python313Packages.ormsgpack
    • python314Packages.ormsgpack
    • haskellPackages.data-msgpack
    • python313Packages.msgpack-numpy
    • python314Packages.msgpack-numpy
    • haskellPackages.data-msgpack-types
    • python313Packages.u-msgpack-python
    • python314Packages.u-msgpack-python
    • chickenPackages_5.chickenEggs.msgpack
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
GPAC Media File write_nhml.c nhmldump_send_frame null pointer dereference

A flaw has been found in GPAC 26.02.0. This affects the function nhmldump_send_frame of the file src/filters/write_nhml.c of the component Media File Handler. Executing a manipulation can lead to null pointer dereference. The attack requires local access. The exploit has been published and may be used. This patch is called bd1d94e70e3bef364c07c5a1d94eca5c9f56e160. A patch should be applied to remediate this issue. The project explains: "I would consider most of these more as bugs than vulns but anyway they're good to fix".

Affected products

GPAC
  • ==26.02.0

Matching in nixpkgs

pkgs.gpac

Open Source multimedia framework for research and academic purposes

Ignored packages (32)

pkgs.msgpack-tools

Command-line tools for converting between MessagePack and JSON

  • nixos-unstable 0.6
    • nixpkgs-unstable 0.6
    • nixos-unstable-small 0.6
  • nixos-26.05 0.6
    • nixos-26.05-small 0.6
    • nixpkgs-26.05-darwin 0.6

Package maintainers

Published
Permalink CVE-2026-14801
4.8 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): Not Defined (X)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 3 days, 22 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    4 references
  • @LeSuisse ignored
    33 packages
    • gpac-unstable
    • msgpack-cxx
    • msgpack-c
    • msgpack-tools
    • rubyPackages.msgpack
    • phpExtensions.msgpack
    • haskellPackages.msgpack
    • perlPackages.MsgPackRaw
    • php82Extensions.msgpack
    • php83Extensions.msgpack
    • php84Extensions.msgpack
    • php85Extensions.msgpack
    • luaPackages.lua-cmsgpack
    • perl5Packages.MsgPackRaw
    • rubyPackages_3_3.msgpack
    • rubyPackages_3_4.msgpack
    • rubyPackages_4_0.msgpack
    • python313Packages.msgpack
    • python314Packages.msgpack
    • lua51Packages.lua-cmsgpack
    • lua52Packages.lua-cmsgpack
    • lua53Packages.lua-cmsgpack
    • lua54Packages.lua-cmsgpack
    • lua55Packages.lua-cmsgpack
    • python313Packages.ormsgpack
    • python314Packages.ormsgpack
    • haskellPackages.data-msgpack
    • python313Packages.msgpack-numpy
    • python314Packages.msgpack-numpy
    • haskellPackages.data-msgpack-types
    • python313Packages.u-msgpack-python
    • python314Packages.u-msgpack-python
    • chickenPackages_5.chickenEggs.msgpack
  • @LeSuisse restored package gpac-unstable
  • @LeSuisse accepted
  • @LeSuisse published on GitHub
GPAC TeXML File load_text.c txtin_probe_duration divide by zero

A security vulnerability has been detected in GPAC 26.03-DEV-rev342-g80071f700-master. The impacted element is the function txtin_probe_duration of the file src/filters/load_text.c of the component TeXML File Handler. Such manipulation of the argument txml_timescale leads to divide by zero. An attack has to be approached locally. The name of the patch is 86a5191f2e750c767253e27ed6cfd6d547afebc2. A patch should be applied to remediate this issue.

Affected products

GPAC
  • ==26.03-DEV-rev342-g80071f700-master

Matching in nixpkgs

pkgs.gpac

Open Source multimedia framework for research and academic purposes

Ignored packages (32)

pkgs.msgpack-tools

Command-line tools for converting between MessagePack and JSON

  • nixos-unstable 0.6
    • nixpkgs-unstable 0.6
    • nixos-unstable-small 0.6
  • nixos-26.05 0.6
    • nixos-26.05-small 0.6
    • nixpkgs-26.05-darwin 0.6

Package maintainers

Dismissed
Permalink CVE-2025-15667
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 3 days, 22 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse dismissed
GPAC MP4Box avc_ext.c gf_isom_nalu_sample_rewrite double free

A vulnerability was determined in GPAC up to 2.5-DEV. This vulnerability affects the function gf_isom_nalu_sample_rewrite of the file src/isomedia/avc_ext.c of the component MP4Box. This manipulation of the argument nalu_out_bs causes double free. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. Patch name: f29f955f2a3b5e8e507caad3e52319f961bf37bf. To fix this issue, it is recommended to deploy a patch.

Affected products

GPAC
  • ==2.5-DEV

Matching in nixpkgs

pkgs.gpac

Open Source multimedia framework for research and academic purposes

pkgs.msgpack-tools

Command-line tools for converting between MessagePack and JSON

  • nixos-unstable 0.6
    • nixpkgs-unstable 0.6
    • nixos-unstable-small 0.6
  • nixos-26.05 0.6
    • nixos-26.05-small 0.6
    • nixpkgs-26.05-darwin 0.6
Fixed in 26.02.0. Stable branch was never impacted.
Dismissed
Permalink CVE-2025-15668
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 3 days, 22 hours ago by @LeSuisse Activity log
  • Created suggestion
  • @LeSuisse ignored
    33 packages
    • msgpack-c
    • msgpack-cxx
    • gpac-unstable
    • msgpack-tools
    • rubyPackages.msgpack
    • phpExtensions.msgpack
    • haskellPackages.msgpack
    • perlPackages.MsgPackRaw
    • php82Extensions.msgpack
    • php83Extensions.msgpack
    • php84Extensions.msgpack
    • php85Extensions.msgpack
    • luaPackages.lua-cmsgpack
    • perl5Packages.MsgPackRaw
    • rubyPackages_3_3.msgpack
    • rubyPackages_3_4.msgpack
    • rubyPackages_4_0.msgpack
    • python313Packages.msgpack
    • python314Packages.msgpack
    • lua51Packages.lua-cmsgpack
    • lua52Packages.lua-cmsgpack
    • lua53Packages.lua-cmsgpack
    • lua54Packages.lua-cmsgpack
    • lua55Packages.lua-cmsgpack
    • python313Packages.ormsgpack
    • python314Packages.ormsgpack
    • haskellPackages.data-msgpack
    • python313Packages.msgpack-numpy
    • python314Packages.msgpack-numpy
    • chickenPackages_5.chickenEggs.msgpack
    • python314Packages.u-msgpack-python
    • python313Packages.u-msgpack-python
    • haskellPackages.data-msgpack-types
  • @LeSuisse ignored
    4 references
  • @LeSuisse restored package gpac-unstable
  • @LeSuisse dismissed
GPAC MP4Box box_code_base.c sgpd_del_entry heap-based overflow

A vulnerability was identified in GPAC up to b40ce70f5. This issue affects the function sgpd_del_entry of the file src/isomedia/box_code_base.c of the component MP4Box. Such manipulation of the argument data leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is f29f955f2a3b5e8e507caad3e52319f961bf37bf. It is advisable to implement a patch to correct this issue.

Affected products

GPAC
  • ==b40ce70f5

Matching in nixpkgs

pkgs.gpac

Open Source multimedia framework for research and academic purposes

Ignored packages (32)

pkgs.msgpack-tools

Command-line tools for converting between MessagePack and JSON

  • nixos-unstable 0.6
    • nixpkgs-unstable 0.6
    • nixos-unstable-small 0.6
  • nixos-26.05 0.6
    • nixos-26.05-small 0.6
    • nixpkgs-26.05-darwin 0.6

Package maintainers

Stable branch was never impacted
Untriaged
Permalink CVE-2026-9572
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
created 1 month, 2 weeks ago Activity log
  • Created suggestion
GPAC MP4Box media.c Media_GetSample memory leak

A security vulnerability has been detected in GPAC up to 2.4.0. Affected by this issue is the function Media_GetSample of the file src/isomedia/media.c of the component MP4Box. Such manipulation of the argument cat leads to memory leak. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The name of the patch is e79c5cbe8b3fed27f4854ec229457d30c96206f1. It is best practice to apply a patch to resolve this issue.

Affected products

GPAC
  • ==2.2
  • ==2.0
  • ==2.4.0
  • ==2.3
  • ==2.1

Matching in nixpkgs

pkgs.gpac

Open Source multimedia framework for research and academic purposes

pkgs.msgpack-c

MessagePack implementation for C

pkgs.msgpack-tools

Command-line tools for converting between MessagePack and JSON

  • nixos-unstable 0.6
    • nixpkgs-unstable 0.6
    • nixos-unstable-small 0.6
Untriaged
Permalink CVE-2026-8124
1.9 LOW
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Exploit Maturity (E): POC (P)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
created 2 months ago Activity log
  • Created suggestion
GPAC box_code_base.c sidx_box_read allocation of resources

A security vulnerability has been detected in GPAC up to 26.02.0. This affects the function sidx_box_read of the file src/isomedia/box_code_base.c. The manipulation leads to allocation of resources. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The identifier of the patch is 442e2299530138d8f874fd885c565ba98a6318ba. It is suggested to install a patch to address this issue.

Affected products

GPAC
  • ==26.02

Matching in nixpkgs

pkgs.gpac

Open Source multimedia framework for research and academic purposes

pkgs.msgpack-c

MessagePack implementation for C

pkgs.msgpack-tools

Command-line tools for converting between MessagePack and JSON

  • nixos-unstable 0.6
    • nixpkgs-unstable 0.6
    • nixos-unstable-small 0.6
Untriaged
Permalink CVE-2026-1417
3.3 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
created 5 months, 2 weeks ago Activity log
  • Created suggestion
GPAC filedump.c dump_isom_rtp null pointer dereference

A weakness has been identified in GPAC up to 2.4.0. Affected by this issue is the function dump_isom_rtp of the file applications/mp4box/filedump.c. This manipulation causes null pointer dereference. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: f96bd57c3ccdcde4335a0be28cd3e8fe296993de. Applying a patch is the recommended action to fix this issue.

Affected products

GPAC
  • ==2.2
  • ==2.0
  • ==2.4.0
  • ==2.3
  • ==2.1

Matching in nixpkgs

pkgs.gpac

Open Source multimedia framework for research and academic purposes

pkgs.msgpack-c

MessagePack implementation for C

pkgs.msgpack-tools

Command-line tools for converting between MessagePack and JSON

  • nixos-unstable 0.6
    • nixpkgs-unstable 0.6
    • nixos-unstable-small 0.6

Package maintainers

Untriaged
Permalink CVE-2026-1415
3.3 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): Low (L)
created 5 months, 2 weeks ago Activity log
  • Created suggestion
GPAC media_export.c gf_media_export_webvtt_metadata null pointer dereference

A vulnerability was identified in GPAC up to 2.4.0. Affected is the function gf_media_export_webvtt_metadata of the file src/media_tools/media_export.c. The manipulation of the argument Name leads to null pointer dereference. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is af951b892dfbaaa38336ba2eba6d6a42c25810fd. To fix this issue, it is recommended to deploy a patch.

Affected products

GPAC
  • ==2.2
  • ==2.0
  • ==2.4.0
  • ==2.3
  • ==2.1

Matching in nixpkgs

pkgs.gpac

Open Source multimedia framework for research and academic purposes

pkgs.msgpack-c

MessagePack implementation for C

pkgs.msgpack-tools

Command-line tools for converting between MessagePack and JSON

  • nixos-unstable 0.6
    • nixpkgs-unstable 0.6
    • nixos-unstable-small 0.6

Package maintainers

Untriaged
Permalink CVE-2026-1418
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Exploit Code Maturity (E): Proof-of-Concept (P)
  • Remediation Level (RL): Official Fix (O)
  • Report Confidence (RC): Confirmed (C)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
created 5 months, 2 weeks ago Activity log
  • Created suggestion
GPAC SRT Subtitle Import text_to_bifs.c gf_text_import_srt_bifs out-of-bounds write

A security vulnerability has been detected in GPAC up to 2.4.0. This affects the function gf_text_import_srt_bifs of the file src/scene_manager/text_to_bifs.c of the component SRT Subtitle Import. Such manipulation leads to out-of-bounds write. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 10c73b82cf0e367383d091db38566a0e4fe71772. It is best practice to apply a patch to resolve this issue.

Affected products

GPAC
  • ==2.2
  • ==2.0
  • ==2.4.0
  • ==2.3
  • ==2.1

Matching in nixpkgs

pkgs.gpac

Open Source multimedia framework for research and academic purposes

pkgs.msgpack-c

MessagePack implementation for C

pkgs.msgpack-tools

Command-line tools for converting between MessagePack and JSON

  • nixos-unstable 0.6
    • nixpkgs-unstable 0.6
    • nixos-unstable-small 0.6

Package maintainers