{"id":"CVE-2026-33144","summary":"GPAC MP4Box Heap Buffer Overflow Write in gf_xml_parse_bit_sequence_bs (NHML BS Parsing)","details":"GPAC is an open-source multimedia framework. Prior to commit 86b0e36, a heap-based buffer overflow (write) vulnerability was discovered in GPAC MP4Box. The vulnerability exists in the gf_xml_parse_bit_sequence_bs function in utils/xml_bin_custom.c when processing a crafted NHML file containing malicious \u003cBS\u003e (BitSequence) elements. An attacker can exploit this by providing a specially crafted NHML file, causing an out-of-bounds write on the heap. This issue has been via commit 86b0e36.","aliases":["GHSA-3jw5-9pmw-vmfg"],"modified":"2026-04-12T20:14:09.728815Z","published":"2026-03-20T20:07:58.175Z","database_specific":{"cwe_ids":["CWE-787"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33144.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33144.json"},{"type":"ADVISORY","url":"https://github.com/gpac/gpac/security/advisories/GHSA-3jw5-9pmw-vmfg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33144"},{"type":"FIX","url":"https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gpac/gpac","events":[{"introduced":"0"},{"fixed":"86b0e36ea4c71402fbdaf7e13d73ba8841003e72"}]}],"versions":["abi-12","abi-12.16","abi-12.17","abi-12.18","abi-12.19","abi-12.20","abi-12.21","abi-12.22","abi-12.23","abi-12.24","abi-12.25","abi-12.26","abi-12.27","abi-13","abi-13.0","abi-14","abi-14.0","abi-15","abi-15.0","abi-15.1","abi-15.2","abi-16","abi-16.2","abi-16.3","abi-16.4","abi-16.5","abi-16.6","testtag0.1","v0.5.2","v0.6.0","v0.9.0","v0.9.0-preview","v1.0.0","v2.0.0","v2.2.0","v26.02.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33144.json","vanir_signatures_modified":"2026-04-12T20:14:09Z","vanir_signatures":[{"id":"CVE-2026-33144-abc2c62a","signature_version":"v1","target":{"function":"nhmldmx_send_sample","file":"src/filters/dmx_nhml.c"},"signature_type":"Function","deprecated":false,"digest":{"length":12851,"function_hash":"297745097757912774735723952795026710447"},"source":"https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72"},{"id":"CVE-2026-33144-b3d32ec3","signature_version":"v1","target":{"file":"src/utils/xml_bin_custom.c"},"signature_type":"Line","deprecated":false,"digest":{"line_hashes":["42079502082530779858342405201078927091","33891107814393948999681117771194806720","70543067064101358523799178869560581642","19613179692556639733946488636659210696","85345945110423490939946521520523743756","150966639538732160476117029100888966622","26586440119326341527156261185452628639"],"threshold":0.9},"source":"https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72"},{"id":"CVE-2026-33144-bde44eda","signature_version":"v1","target":{"file":"src/filters/dmx_nhml.c"},"signature_type":"Line","deprecated":false,"digest":{"line_hashes":["127075050987779515672904370879474013587","258956059524958146139949368118315345806","225559437328368484651803344414367834754","187086453625554598803022697657942174111"],"threshold":0.9},"source":"https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72"},{"id":"CVE-2026-33144-f45e7ee2","signature_version":"v1","target":{"function":"gf_xml_parse_bit_sequence_bs","file":"src/utils/xml_bin_custom.c"},"signature_type":"Function","deprecated":false,"digest":{"length":7261,"function_hash":"127321648180269209432862047693823316841"},"source":"https://github.com/gpac/gpac/commit/86b0e36ea4c71402fbdaf7e13d73ba8841003e72"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H"}]}