{"id":"CVE-2026-1418","details":"A security vulnerability has been detected in GPAC up to 2.4.0. This affects the function gf_text_import_srt_bifs of the file src/scene_manager/text_to_bifs.c of the component SRT Subtitle Import. Such manipulation leads to out-of-bounds write. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 10c73b82cf0e367383d091db38566a0e4fe71772. It is best practice to apply a patch to resolve this issue.","modified":"2026-04-12T20:21:41.510493Z","published":"2026-01-26T04:16:10.360Z","references":[{"type":"WEB","url":"https://github.com/gpac/gpac/"},{"type":"ADVISORY","url":"https://vuldb.com/?id.342807"},{"type":"ADVISORY","url":"https://vuldb.com/?submit.736544"},{"type":"REPORT","url":"https://github.com/gpac/gpac/issues/3425"},{"type":"REPORT","url":"https://github.com/gpac/gpac/issues/3425#issue-3801961068"},{"type":"REPORT","url":"https://vuldb.com/?ctiid.342807"},{"type":"FIX","url":"https://github.com/enocknt/gpac/commit/10c73b82cf0e367383d091db38566a0e4fe71772"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/enocknt/gpac","events":[{"introduced":"0"},{"fixed":"10c73b82cf0e367383d091db38566a0e4fe71772"}]},{"type":"GIT","repo":"https://github.com/gpac/gpac","events":[{"introduced":"0"},{"last_affected":"5d70253ac94e5840be7b86054131dd753af63cc7"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.4.0"}]}}],"versions":["v0.5.2","v0.6.0","v0.9.0","v0.9.0-preview","v1.0.0","v2.0.0","v2.2.0","v2.4.0"],"database_specific":{"vanir_signatures_modified":"2026-04-12T20:21:41Z","vanir_signatures":[{"signature_version":"v1","id":"CVE-2026-1418-1ecea719","source":"https://github.com/enocknt/gpac/commit/10c73b82cf0e367383d091db38566a0e4fe71772","digest":{"threshold":0.9,"line_hashes":["164133487273732179464342031336877152296","123958394479058412918963484534876146673","34578872196006803723457937092369670292","140927955535974989331683746887673884548","317157303824313245158862758293231027863","258337157534838928770410599318726408351","120725769967968779536391103172270310834","277087999642364188165715428523635935681","147288800158252847652907863940433819508","309337179551568124689556149450675603133","143871459471587378667328483894626070658","220486623369316946822587351195327435276","76775731927034068820951860109085703271","171495385489447948522805668021412554885","213779776148613669428368583714061612719","237285379177315265828531722325376280815","281922440338218557975161993223800083503","7085135403327497539084875820770780720","56817577590426009275963741510078646103","81088448747152386828525059952693813454","307062177988182664767322279584209255188","60718172570242600004086152963095184346","317712987852311218529334066833034081790","293627422917990316014751689125350704627","103950808797060975100190081328592966507","139446239893207472187093082919311709082","189323801346604450431259698217608773614","42291509452047420139479397893697782503","200009568168289145192776051211319493580","37549783632565201788686470643110486649","44173013905348977223392124857744092377","126616419081034722117193619835861287194","197437614916863985023292346281890052903","99587432701339705042874216850790474028","186198311794110556629283899244246465901","147288800158252847652907863940433819508","309337179551568124689556149450675603133","143871459471587378667328483894626070658","220486623369316946822587351195327435276","61580891069826271582181195409170396307","205190313709827241250057011654175153431","290930906419981101701196983217624286963","108122831179226391240121966788902621796","231086037452361190883801589422807026556","217242492728433384584189196411765885656","202029841477779827507192203690207490987","339294206881857759698199126404604290049","168521345449109509660510419431224328974","273397860653587171365182413479430873502","282178157948729777012953228809919848939"]},"signature_type":"Line","deprecated":false,"target":{"file":"src/scene_manager/text_to_bifs.c"}},{"signature_version":"v1","id":"CVE-2026-1418-b37b1a8e","source":"https://github.com/enocknt/gpac/commit/10c73b82cf0e367383d091db38566a0e4fe71772","digest":{"function_hash":"75468771887554725939229209367886652941","length":7168},"signature_type":"Function","deprecated":false,"target":{"file":"src/scene_manager/text_to_bifs.c","function":"gf_text_import_srt_bifs"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1418.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}