A vulnerability was found in GPAC 26.03-DEV. It has been declared as problematic. This affects the function vobsub_read_idx of the file /src/media_tools/vobsub.c of the component MP4Box. Executing a manipulation of the argument num_langs can lead to out-of-bounds read.

This vulnerability is registered as CVE-2026-15185. The attack needs to be launched locally. Furthermore, an exploit is available.

It is best practice to apply a patch to resolve this issue.

Two different commits were applied to fix this issue.