Skip to main content

GStreamer librfb CVE-2026-52720

| EUVDEUVD-2026-36803 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-15 redhat GHSA-38vh-57p3-w3gw
8.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Client connects over network to attacker VNC server (AV:N, PR:N), reliably triggered by sending a crafted rectangle (AC:L), user must initiate connection (UI:R), heap RCE yields full CIA impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 19:53 vuln.today
CVE Published
Jun 15, 2026 - 19:15 cve.org
HIGH 8.8

DescriptionCVE.org

A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a malicious VNC server and trick a user into connecting, resulting in an out-of-bounds heap write that could lead to code execution or a crash.

AnalysisAI

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a connecting client, potentially leading to remote code execution or denial of service. The flaw stems from validating rectangle area instead of individual dimensions, letting attacker-controlled rectangles extend beyond the framebuffer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker stands up malicious VNC server
Delivery
Lures victim to connect via rfb:// URI
Exploit
Sends FramebufferUpdate with oversized rectangle
Install
Bypasses area-based bounds check
C2
Heap out-of-bounds write during pixel copy
Execute
Hijack control flow in GStreamer process
Impact
Code execution as the user

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim's GStreamer build includes the librfb plugin and that the user actively initiates a VNC/RFB session to an attacker-controlled server (UI:R in the CVSS vector); the attacker does not need credentials on the victim host but must coerce or trick the outbound connection. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H yields 8.8 and accurately reflects a client-side memory-corruption flaw: network reachable, low complexity, no privileges, but requires the victim to initiate a VNC connection to the attacker's server (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up a malicious VNC server and uses phishing or a malicious link (vnc://, a media playlist, or an embedded URI handled by a GStreamer-based application) to entice a RHEL user to connect. When the victim's client requests a framebuffer update, the server replies with a FramebufferUpdate containing a rectangle whose x/y offsets place writes outside the framebuffer while keeping width*height small enough to pass the area check, corrupting heap metadata with attacker-supplied pixel bytes and ultimately achieving code execution in the user's session or crashing the application.
Remediation No vendor-released patch identified at time of analysis in the supplied data; track the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-52720 and Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=2486731 for the fixed gstreamer1-plugins-bad-free (or equivalent) package versions per RHEL release, and apply them via dnf/yum update once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all RHEL 6-10 systems with GStreamer installed; document which systems require VNC client functionality; block outbound VNC connections (ports 5900-5910) at the firewall for systems where VNC is not essential. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

CVE-2026-35091 HIGH
8.2 Apr 01

Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memor

CVE-2026-42013 HIGH
8.2 May 26

Here is the multi-source synthesis as a single JSON object: ```json { "product_name": "GnuTLS", "summary": "Certifi

CVE-2026-1767 HIGH
8.1 Jun 16

Heap buffer overflow in GNOME localsearch (formerly tracker-miners) tracker-extract-mp3 component on Red Hat Enterprise

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected

Share

CVE-2026-52720 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy