Skip to main content

GStreamer CVE-2026-52722

| EUVDEUVD-2026-36804 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-06-15 redhat GHSA-cj3w-jxwm-h5h8
7.1
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
vuln.today AI
7.1 HIGH

Network-delivered crafted file (AV:N) decoded with no privileges (PR:N) but requires the user to open it (UI:R); OOB read yields low confidentiality and high availability impact, no integrity effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
7.1 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 19:52 vuln.today
CVE Published
Jun 15, 2026 - 19:15 cve.org
HIGH 7.1

DescriptionCVE.org

A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure.

AnalysisAI

Out-of-bounds read in GStreamer's VMnc decoder allows remote attackers to crash the application or disclose memory contents when a victim opens a maliciously crafted VMnc video file. The flaw stems from a signed integer overflow in payload-size arithmetic that bypasses a length check when cursor dimensions are abnormally large. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

GStreamer is a widely deployed open-source multimedia framework used across Linux desktops, embedded systems, and applications such as media players, browsers, and screen-recording tools. The affected component is the VMnc decoder, which parses the VMware-developed VMnc (VMware VNC) screen-capture codec. The root cause is CWE-190 (Integer Overflow or Wraparound): when a VMnc stream declares large cursor width/height values, the multiplication used to compute the payload size overflows a signed integer, producing a small or negative result that satisfies a downstream length check while the actual data read extends past the allocated buffer, leading to out-of-bounds memory reads. Red Hat CPE data scopes the impact across Red Hat Enterprise Linux 6 through 10, since GStreamer is shipped as a core multimedia stack in those distributions.

RemediationAI

No vendor-released patch version was identified in the input at time of analysis; defenders should monitor the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-52722 and the upstream GStreamer work item at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5107 and apply the fixed gstreamer-plugins packages once published by their distribution (yum/dnf update gstreamer1-plugins-* on RHEL hosts). Until a patch ships, the highest-value compensating control is to disable or remove the VMnc decoder plugin specifically - on RHEL this typically lives in gstreamer1-plugins-bad-free; uninstalling that subpackage prevents auto-loading of vmncdec at the cost of also disabling other 'bad' codecs used by some media players. As a narrower mitigation, administrators can blacklist the vmncdec element via GST_PLUGIN_FEATURE_RANK=vmncdec:NONE or by removing the libgstvmnc.so file from the plugin directory, which preserves other codecs but breaks legitimate VMnc playback (rare outside VMware screen-recording workflows). User-facing guidance - do not open VMnc files from untrusted sources and disable automatic thumbnail/preview generation for unknown video files - reduces UI:R exposure but is not a substitute for patching.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Affected
SUSE Linux Enterprise Module for Package Hub 15 SP7 Affected

Share

CVE-2026-52722 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy