GPAC MP4Box vobsub_read_idx Out-of-Bounds Read Vulnerability
A vulnerability was determined in GPAC 26.03-DEV. This affects the function vobsub_read_idx of the file /src/media_tools/vobsub.c of the component MP4Box. Executing a manipulation of the argument num_langs can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called 532097084729a936bcdf6a27c41003f3bd7dc3ff. It is best practice to apply a patch to resolve this issue. Two different commits were applied to fix this issue.
Quick answer
GPAC MP4Box should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- GPAC 26.03-DEV
Fixed versions
- Apply patch 532097084729a936bcdf6a27c41003f3bd7dc3ff or latest GPAC build
How to fix it
GPAC 26.03-DEV is affected by an out-of-bounds read in MP4Box vobsub_read_idx. Apply the upstream patch or move to a current GPAC build that includes the fix. Systems that process untrusted subtitle or media files should be prioritized even though the attack is local file processing.
- Inventory GPAC and MP4Box installations used on workstations, servers, CI jobs, and media-processing pipelines.
- Apply patch 532097084729a936bcdf6a27c41003f3bd7dc3ff or upgrade to a current fixed GPAC build.
- Stop processing untrusted VobSub or subtitle index files until patched tooling is deployed.
- Run media processing jobs with least privilege and isolated working directories.
- Review crash reports and job logs for malformed VobSub index files.
- Rebuild containers, packages, or static binaries that bundle vulnerable GPAC code.
- Quarantine suspicious media samples submitted before the fix.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm GPAC or MP4Box includes the upstream fix for CVE-2026-15185.
- Validate malformed VobSub files no longer trigger out-of-bounds read crashes.
- Review media pipeline logs for prior crashes or exploit samples.
- Test normal MP4Box subtitle and media processing workflows after the update.
- Run a Fixnx scan against public media upload workflows if GPAC is used behind the site.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-15185?
GPAC MP4Box versions listed as affected should be reviewed: GPAC 26.03-DEV.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
