Skip to main content

gstreamer1-libav CVE-2026-12893

MEDIUM
2026-07-06 vendor:ubuntu
Share

Severity by source

vuln.today AI
6.5 MEDIUM

Network-reachable via crafted media file, user interaction required to open it, no privileges needed, crash-only impact so availability high, no confidentiality or integrity impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Red Hat
5.5 MEDIUM
qualitative

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 20:22 vuln.today

DescriptionCVE.org

[gstreamer1-libav: gstreamer1-libav: NULL pointer dereference in gstavdemux.c error handler]

AnalysisAI

NULL pointer dereference in the error handler of gstavdemux.c within gstreamer1-libav can crash the GStreamer pipeline process when it encounters a malformed or crafted media stream during AV demuxing. The flaw resides specifically in error recovery logic - the code path meant to handle failures itself dereferences a NULL pointer, producing a denial-of-service condition in any application relying on this plugin for media playback or processing. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malformed media container
Delivery
Deliver file to target (upload or share link)
Exploit
User opens file or pipeline ingests it
Execution
Demuxer encounters error in gstavdemux.c
Persist
NULL pointer dereferenced in error handler
Impact
GStreamer pipeline process crashes

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses gstreamer1-libav (the FFmpeg/libav GStreamer plugin) as part of its media pipeline and processes attacker-controlled media input. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Available signals are sparse: no CVSS vector, no EPSS score, no KEV listing, and no confirmed POC. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malformed media file (e.g., a corrupt AVI or MKV container) specifically designed to trigger a failure in the libav demuxer. When the target opens the file in a GStreamer-backed media player or uploads it to a server-side transcoding service, the demuxer encounters the error, invokes the error handler in gstavdemux.c, and dereferences the NULL pointer - crashing the GStreamer pipeline process. …
Remediation Apply the updated gstreamer1-libav package distributed through the Ubuntu package repositories once a patched build is released - no exact fix version was confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-12893 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy