Skip to main content

GStreamer gst-plugins-bad CVE-2026-12891

| EUVDEUVD-2026-38606 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-23 redhat GHSA-9j3r-2vv4-g5x8
4.3
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network delivery of a crafted file triggers the flaw (AV:N, PR:N), but victim must open it (UI:R); impact is a narrow memory read with no integrity or availability consequence (C:L, I:N, A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
4.3 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 23, 2026 - 20:52 vuln.today
CVE Published
Jun 23, 2026 - 19:53 cve.org
MEDIUM 4.3

DescriptionCVE.org

A flaw was found in the GStreamer gst-plugins-bad package. When processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator value, the H.266 parser performs an out-of-bounds read of up to 8 bytes from adjacent memory. This flaw allows an attacker to craft a malicious H.266 video file or stream that, when processed by a GStreamer-based application, could leak limited memory contents through video metadata, potentially exposing sensitive information from the application's address space.

AnalysisAI

Out-of-bounds read in the GStreamer gst-plugins-bad H.266/VVC parser allows a remote attacker to leak up to 8 bytes of application memory by delivering a crafted video file with a manipulated aspect ratio indicator value. Affected platforms include Red Hat Enterprise Linux 8, 9, and 10 wherever gst-plugins-bad processes H.266/VVC content. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malformed H.266/VVC file with manipulated aspect ratio indicator
Delivery
Deliver file to target via email, web, or stream
Exploit
Victim opens file in GStreamer-based application
Execution
H.266 parser performs 8-byte out-of-bounds read
Impact
Adjacent memory contents exposed through video metadata

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively open or process a crafted H.266/VVC video file or stream using an application built on GStreamer with the gst-plugins-bad H.266/VVC parser plugin loaded - this is the triggering condition (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) accurately captures the key risk dimensions: the attack is network-reachable with low complexity and no authentication, but requires the victim to open or play the crafted file (UI:R), and the confidentiality impact is limited to a narrow 8-byte window (C:L) with no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malformed H.266/VVC video file in which the aspect ratio indicator field is set to a value that causes the GStreamer parser to read 8 bytes past the intended buffer boundary. The attacker delivers this file to a target user via email attachment, a malicious website, or an embedded media stream. …
Remediation The primary remediation is to apply the updated gst-plugins-bad package from Red Hat once released; consult https://access.redhat.com/security/cve/CVE-2026-12891 for the errata advisory and exact fixed RPM version, as no specific patched version number is confirmed in the data available at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Not-Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Not-Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Not-Affected

Share

CVE-2026-12891 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy