Skip to main content

gst-plugins-bad CVE-2026-12892

| EUVDEUVD-2026-38607 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-23 redhat GHSA-mc62-3gf7-rphg
4.4
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
vuln.today AI
4.4 MEDIUM

File-based local parsing attack requires active user interaction; 1-byte read limits impact to minimal confidentiality exposure and application crash with no integrity or scope change.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Red Hat
4.4 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 23, 2026 - 20:53 vuln.today

DescriptionCVE.org

A flaw was found in GStreamer's gst-plugins-bad package. When processing a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units, a 1-byte heap out-of-bounds read can occur during parsing. This happens when the parser attempts to check slice boundary information without first verifying that the NAL unit contains enough data beyond the extension header. An attacker could exploit this by tricking a user into opening a malicious H.264 video file, potentially causing the application to crash or leak a single byte of heap memory.

AnalysisAI

Heap out-of-bounds read in GStreamer's gst-plugins-bad H.264 parser allows an attacker to crash a media application or leak a single byte of heap memory by tricking a victim into opening a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units. Affected systems span Red Hat Enterprise Linux versions 6 through 10 where gst-plugins-bad is installed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft H.264 file with malformed MVC/SVC NAL unit
Delivery
Deliver file to victim via social engineering
Exploit
Victim opens file in GStreamer-backed media player
Execution
H.264 parser processes extension slice without length validation
Persist
1-byte heap out-of-bounds read triggered
Impact
Application crash or single-byte heap memory disclosure

Vulnerability AssessmentAI

Exploitation Exploitation requires that gst-plugins-bad is installed on the target RHEL system and that the victim actively opens a specially crafted H.264 video file (UI:R) containing malformed MVC (Multi-View Coding) or SVC (Scalable Video Coding) extension slice NAL units with insufficient data beyond the extension header. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.4 (Medium) is broadly accurate and is supported by the available signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious H.264 video file embedding a malformed MVC or SVC extension slice NAL unit with a truncated payload, then distributes it via a phishing email, malicious website, or messaging platform. When a victim on an affected RHEL system opens the file in a GStreamer-backed media player (such as Totem, Rhythmbox, or a browser with GStreamer integration), the H.264 parser reads 1 byte past the NAL unit boundary, potentially crashing the application or exposing a single heap byte. …
Remediation Apply patches via standard RHEL update mechanisms (yum update gstreamer1-plugins-bad-free or dnf update gstreamer1-plugins-bad-free) once errata are published; monitor the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-12892 for patch availability and exact fixed version numbers, as no specific patched release is confirmed in the current intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Affected

Share

CVE-2026-12892 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy