Skip to main content

GStreamer webrtcbin CVE-2026-14935

| EUVDEUVD-2026-42051 LOW
Always-Incorrect Control Flow Implementation (CWE-670)
2026-07-07 redhat GHSA-m678-vwg3-59mp
3.7
CVSS 3.1 · Vendor: redhat

Severity by source

Vendor (redhat) PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
3.7 LOW

Network vector requires MitM on signaling (AC:H); no auth needed; only integrity weakened, no confidentiality or availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 07, 2026 - 16:19 vuln.today
CVE Published
Jul 07, 2026 - 15:37 cve.org
LOW 3.7

DescriptionCVE.org

A logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. An attacker with the ability to intercept and modify WebRTC signaling messages could exploit this to bypass the SDP-level DTLS certificate fingerprint binding, weakening defenses against man-in-the-middle attacks on media streams.

AnalysisAI

GStreamer's webrtcbin component accepts remote SDP offers and answers that are missing the required a=fingerprint attribute due to an inverted boolean logic check in _check_sdp_crypto(), undermining the DTLS certificate fingerprint binding that protects WebRTC media streams from interception. An attacker already positioned as a man-in-the-middle on the WebRTC signaling channel can strip the a=fingerprint attribute from SDP messages, which the vulnerable code then incorrectly accepts, allowing the attacker to substitute their own DTLS certificate and intercept or tamper with encrypted media. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attain MitM on WebRTC signaling channel
Delivery
Intercept outgoing SDP offer or answer
Exploit
Strip a=fingerprint attribute from SDP
Install
Forward modified SDP to target endpoint
C2
Inverted _check_sdp_crypto() accepts fingerprint-free SDP
Execute
Present attacker-controlled DTLS certificate
Impact
Decrypt or tamper with media stream

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold an active man-in-the-middle position on the WebRTC signaling channel - specifically, the ability to intercept and modify SDP offer/answer messages in transit. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately reflects the constrained real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positioned between a GStreamer-based WebRTC endpoint and its signaling server - for example, via ARP poisoning on a local network or by controlling a compromised signaling relay - intercepts outgoing SDP offers and strips the a=fingerprint attribute before forwarding them. Because _check_sdp_crypto() has its conditional inverted, the receiving endpoint's GStreamer instance accepts the fingerprint-free SDP as valid. …
Remediation An upstream fix has been submitted via GStreamer's security merge request at https://gitlab.freedesktop.org/gstreamer/gstreamer-security/-/merge_requests/98; however, a specific tagged release version incorporating this fix was not confirmed in the available data, so this should be characterized as an upstream fix available (MR/commit) with released patched version not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Share

CVE-2026-14935 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy