← back
CVE-2026-15185

GPAC MP4Box vobsub.c vobsub_read_idx out-of-bounds

CVSS 4.8 MEDIUMCWE-119CWE-125
Vexday Risk Score
30Low
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Public proof of concept exists, but not yet automated.
CVSS 4.8EPSS KEV nãoPoC públicaNuclei Metasploit Patch referenciado
Lifecycle
09 Jul 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
A vulnerability was determined in GPAC 26.03-DEV. This affects the function vobsub_read_idx of the file /src/media_tools/vobsub.c of the component MP4Box. Executing a manipulation of the argument num_langs can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called 532097084729a936bcdf6a27c41003f3bd7dc3ff. It is best practice to apply a patch to resolve this issue. Two different commits were applied to fix this issue.
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
Affected products
n/a · GPAC
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.