CVE Catalog

CVE-2026-13523

LowCVSS 3.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.11%

2th percentile — higher than 2% of all known CVEs

Summary

A weakness in the ISOBMFF Parser component of GPAC up to version 26.02.0 affects the file src/utils/base_encoding.c. A local attacker can trigger manipulation leading to highly compressed data, potentially causing uncontrolled data expansion after decompression. A public exploit increases the risk of attacks.

Risk Assessment

The organization faces local attacks that may cause system overload or resource exhaustion due to excessive decompression. Unpatched systems could disrupt applications relying on GPAC.

Recommendation

Apply the patch identified as 297f2d8d1f493d8b241330533cd47f7da758aeb3 immediately, which adds a check on inflate output size (max 32 times input). Upgrade to the latest GPAC version is recommended.

Original NVD description (English source)

A weakness has been identified in GPAC up to 26.02.0. This affects an unknown part of the file src/utils/base_encoding.c of the component ISOBMFF Parser. Executing a manipulation can lead to highly compressed data. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. This patch is called 297f2d8d1f493d8b241330533cd47f7da758aeb3. A patch should be applied to remediate this issue. The vendor confirms: "We added a check on inflate output size, if it surpasses 32 times the input size we stop in error. This value could be adjusted later."

Vulnerability data from NVD (NIST) · CISA KEV · EPSS