Debian Linux
CVE-2019-9928
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server, potentially allowing remote code execution.
AnalysisAI
A heap-based buffer overflow vulnerability exists in GStreamer's RTSP connection parser that allows remote attackers to execute arbitrary code by sending a specially crafted response from a malicious RTSP server. The vulnerability affects all GStreamer versions prior to 1.16.0 and requires user interaction (connecting to a malicious server), with a CVSS score of 8.8 indicating high severity. While no active exploitation has been confirmed (not in KEV), the vulnerability has been publicly disclosed with security advisories available, and the attack vector is relatively straightforward for attackers with RTSP protocol knowledge.
Technical ContextAI
GStreamer is a widely-used open-source multimedia framework that handles various media formats and protocols, including RTSP (Real Time Streaming Protocol) commonly used for streaming video content. The vulnerability stems from improper bounds checking in the RTSP connection parser, classified as CWE-787 (Out-of-bounds Write), where the parser fails to validate the size of incoming data before copying it to a heap buffer. Based on the CPE data, the core affected product is GStreamer itself (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*) with versions before 1.16.0, and the vulnerability has been integrated into several Linux distributions including Debian 8.0 and 9.0, Ubuntu 16.04 LTS, 18.04 LTS, and 18.10.
RemediationAI
Upgrade GStreamer to version 1.16.0 or later as detailed in the official security advisory at https://gstreamer.freedesktop.org/security/sa-2019-0001.html. For distribution-packaged versions, apply the vendor-specific security updates: Debian users should reference DSA-4437 (https://www.debian.org/security/2019/dsa-4437), Ubuntu users should apply USN-3958-1 (https://usn.ubuntu.com/3958-1/), and openSUSE users should consult their respective security announcements. As a temporary mitigation until patching is complete, avoid connecting GStreamer-based applications to untrusted RTSP servers and consider implementing network segmentation to restrict RTSP connections to known, trusted sources only.
More in Debian Linux
View allRoundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
GNU Inetutils telnetd through version 2.7 contains a critical authentication bypass that allows remote attackers to gain
Erlang/OTP SSH server allows unauthenticated remote code execution by exploiting a flaw in SSH protocol message handling
Sudo before 1.9.17p1 contains a local root escalation vulnerability (CVE-2025-32463, CVSS 9.3) through the --chroot opti
Arbitrary JavaScript execution in Mozilla's PDF.js library affects Firefox before 126, Firefox ESR before 115.11, and Th
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
Git contains a CRLF injection vulnerability (CVE-2025-48384, CVSS 8.0) in its config handling that allows attackers to e
A flaw was found in the OpenSSH package. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, n
Integer underflow vulnerability in catdoc 0.95's OLE Document DIFAT (Double-Indirect File Allocation Table) Parser that
CVE-2024-52035 is an integer overflow vulnerability in catdoc 0.95's OLE Document File Allocation Table (FAT) parser tha
An integer overflow vulnerability in the GStreamer multimedia framework's matroska demuxer allows heap memory corruption
A critical integer overflow vulnerability in GStreamer's qtdemux element allows attackers to trigger denial of service o
Same weakness CWE-787 – Out-of-bounds Write
View allShare
External POC / Exploit Code
Leaving vuln.today