CVE-2026-15185
GPAC MP4Box vobsub.c vobsub_read_idx out-of-bounds
Vexday Risk Score
30Low
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Public proof of concept exists, but not yet automated.
CVSS 4.8EPSS —KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado
Lifecycle
09 Jul 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
A vulnerability was determined in GPAC 26.03-DEV. This affects the function vobsub_read_idx of the file /src/media_tools/vobsub.c of the component MP4Box. Executing a manipulation of the argument num_langs can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called 532097084729a936bcdf6a27c41003f3bd7dc3ff. It is best practice to apply a patch to resolve this issue. Two different commits were applied to fix this issue.
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
Affected products
n/a · GPACpublic PoCs found — 1
cve_referencegithub.com/gpac/gpac/issues/3611unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
https://github.com/gpac/gpac/https://github.com/gpac/gpac/commit/532097084729a936bcdf6a27c41003f3bd7dc3ffhttps://github.com/gpac/gpac/commit/aa0fb77b82e51b159a2024c440cdf6b571b14d81https://github.com/gpac/gpac/issues/3611https://vuldb.com/cve/CVE-2026-15185https://vuldb.com/submit/851214https://vuldb.com/vuln/377111https://vuldb.com/vuln/377111/cti