A vulnerability was found in GPAC 26.03-DEV. It has been declared as problematic. This affects the function
vobsub_read_idx of the file /src/media_tools/vobsub.c of the component MP4Box. Executing a manipulation of the argument num_langs can lead to out-of-bounds read.
This vulnerability is registered as CVE-2026-15185. The attack needs to be launched locally. Furthermore, an exploit is available.
It is best practice to apply a patch to resolve this issue.
Two different commits were applied to fix this issue.