Skip to main content

Debian Linux CVE-2019-9928

HIGH
Out-of-bounds Write (CWE-787)
2019-04-24 cve@mitre.org
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
CVE Published
Apr 24, 2019 - 15:29 nvd
HIGH 8.8

DescriptionCVE.org

GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server, potentially allowing remote code execution.

AnalysisAI

A heap-based buffer overflow vulnerability exists in GStreamer's RTSP connection parser that allows remote attackers to execute arbitrary code by sending a specially crafted response from a malicious RTSP server. The vulnerability affects all GStreamer versions prior to 1.16.0 and requires user interaction (connecting to a malicious server), with a CVSS score of 8.8 indicating high severity. While no active exploitation has been confirmed (not in KEV), the vulnerability has been publicly disclosed with security advisories available, and the attack vector is relatively straightforward for attackers with RTSP protocol knowledge.

Technical ContextAI

GStreamer is a widely-used open-source multimedia framework that handles various media formats and protocols, including RTSP (Real Time Streaming Protocol) commonly used for streaming video content. The vulnerability stems from improper bounds checking in the RTSP connection parser, classified as CWE-787 (Out-of-bounds Write), where the parser fails to validate the size of incoming data before copying it to a heap buffer. Based on the CPE data, the core affected product is GStreamer itself (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*) with versions before 1.16.0, and the vulnerability has been integrated into several Linux distributions including Debian 8.0 and 9.0, Ubuntu 16.04 LTS, 18.04 LTS, and 18.10.

RemediationAI

Upgrade GStreamer to version 1.16.0 or later as detailed in the official security advisory at https://gstreamer.freedesktop.org/security/sa-2019-0001.html. For distribution-packaged versions, apply the vendor-specific security updates: Debian users should reference DSA-4437 (https://www.debian.org/security/2019/dsa-4437), Ubuntu users should apply USN-3958-1 (https://usn.ubuntu.com/3958-1/), and openSUSE users should consult their respective security announcements. As a temporary mitigation until patching is complete, avoid connecting GStreamer-based applications to untrusted RTSP servers and consider implementing network segmentation to restrict RTSP connections to known, trusted sources only.

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2026-24061 CRITICAL POC
9.8 Jan 21

GNU Inetutils telnetd through version 2.7 contains a critical authentication bypass that allows remote attackers to gain

CVE-2025-32433 CRITICAL POC
10.0 Apr 16

Erlang/OTP SSH server allows unauthenticated remote code execution by exploiting a flaw in SSH protocol message handling

CVE-2025-32463 CRITICAL POC
9.3 Jun 30

Sudo before 1.9.17p1 contains a local root escalation vulnerability (CVE-2025-32463, CVSS 9.3) through the --chroot opti

CVE-2024-4367 HIGH POC
8.8 May 14

Arbitrary JavaScript execution in Mozilla's PDF.js library affects Firefox before 126, Firefox ESR before 115.11, and Th

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2025-48384 HIGH
8.0 Jul 08

Git contains a CRLF injection vulnerability (CVE-2025-48384, CVSS 8.0) in its config handling that allows attackers to e

CVE-2025-26466 MEDIUM
5.9 Feb 28

A flaw was found in the OpenSSH package. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, n

CVE-2024-54028 HIGH POC
8.4 Jun 02

Integer underflow vulnerability in catdoc 0.95's OLE Document DIFAT (Double-Indirect File Allocation Table) Parser that

CVE-2024-52035 HIGH POC
8.4 Jun 02

CVE-2024-52035 is an integer overflow vulnerability in catdoc 0.95's OLE Document File Allocation Table (FAT) parser tha

CVE-2022-1920 HIGH POC
7.8 Jul 19

An integer overflow vulnerability in the GStreamer multimedia framework's matroska demuxer allows heap memory corruption

CVE-2022-2122 HIGH POC
7.8 Jul 19

A critical integer overflow vulnerability in GStreamer's qtdemux element allows attackers to trigger denial of service o

Share

CVE-2019-9928 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy