Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Network-delivered crafted file (AV:N) decoded with no privileges (PR:N) but requires the user to open it (UI:R); OOB read yields low confidentiality and high availability impact, no integrity effect.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure.
AnalysisAI
Out-of-bounds read in GStreamer's VMnc decoder allows remote attackers to crash the application or disclose memory contents when a victim opens a maliciously crafted VMnc video file. The flaw stems from a signed integer overflow in payload-size arithmetic that bypasses a length check when cursor dimensions are abnormally large. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
GStreamer is a widely deployed open-source multimedia framework used across Linux desktops, embedded systems, and applications such as media players, browsers, and screen-recording tools. The affected component is the VMnc decoder, which parses the VMware-developed VMnc (VMware VNC) screen-capture codec. The root cause is CWE-190 (Integer Overflow or Wraparound): when a VMnc stream declares large cursor width/height values, the multiplication used to compute the payload size overflows a signed integer, producing a small or negative result that satisfies a downstream length check while the actual data read extends past the allocated buffer, leading to out-of-bounds memory reads. Red Hat CPE data scopes the impact across Red Hat Enterprise Linux 6 through 10, since GStreamer is shipped as a core multimedia stack in those distributions.
RemediationAI
No vendor-released patch version was identified in the input at time of analysis; defenders should monitor the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-52722 and the upstream GStreamer work item at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5107 and apply the fixed gstreamer-plugins packages once published by their distribution (yum/dnf update gstreamer1-plugins-* on RHEL hosts). Until a patch ships, the highest-value compensating control is to disable or remove the VMnc decoder plugin specifically - on RHEL this typically lives in gstreamer1-plugins-bad-free; uninstalling that subpackage prevents auto-loading of vmncdec at the cost of also disabling other 'bad' codecs used by some media players. As a narrower mitigation, administrators can blacklist the vmncdec element via GST_PLUGIN_FEATURE_RANK=vmncdec:NONE or by removing the libgstvmnc.so file from the plugin directory, which preserves other codecs but breaks legitimate VMnc playback (rare outside VMware screen-recording workflows). User-facing guidance - do not open VMnc files from untrusted sources and disable automatic thumbnail/preview generation for unknown video files - reduces UI:R exposure but is not a substitute for patching.
More in Red Hat Enterprise Linux 10
View allRemote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Desktop Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP6 | Affected |
| SUSE Linux Enterprise Module for Desktop Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Desktop Applications 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Desktop Applications 15 SP6 | Affected |
| SUSE Linux Enterprise Server 12 SP5 | Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Affected |
| SUSE Linux Enterprise Server 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6 | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Manager Proxy 4.3 | Affected |
| SUSE Manager Proxy LTS 4.3 | Affected |
| SUSE Manager Retail Branch Server 4.3 | Affected |
| SUSE Manager Retail Branch Server LTS 4.3 | Affected |
| SUSE Manager Server 4.3 | Affected |
| SUSE Manager Server LTS 4.3 | Affected |
| SUSE CaaS Platform 4.0 | Affected |
| SUSE Enterprise Storage 6 | Affected |
| SUSE Enterprise Storage 7 | Affected |
| SUSE Enterprise Storage 7.1 | Affected |
| SUSE Linux Enterprise Desktop 12 SP2 | Affected |
| SUSE Linux Enterprise Desktop 12 SP3 | Affected |
| SUSE Linux Enterprise Desktop 12 SP4 | Affected |
| SUSE Linux Enterprise Desktop 15 | Affected |
| SUSE Linux Enterprise Desktop 15 SP1 | Affected |
| SUSE Linux Enterprise Desktop 15 SP2 | Affected |
| SUSE Linux Enterprise Desktop 15 SP3 | Affected |
| SUSE Linux Enterprise Desktop 15 SP4 | Affected |
| SUSE Linux Enterprise Desktop 15 SP5 | Affected |
| SUSE Linux Enterprise Desktop 15 SP6 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Affected |
| SUSE Linux Enterprise High Performance Computing 15-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15-LTSS | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP1 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP2 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP3 | Affected |
| SUSE Linux Enterprise Module for Desktop Applications 15 | Affected |
| SUSE Linux Enterprise Module for Desktop Applications 15 SP1 | Affected |
| SUSE Linux Enterprise Module for Desktop Applications 15 SP2 | Affected |
| SUSE Linux Enterprise Module for Desktop Applications 15 SP3 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Affected |
| SUSE Linux Enterprise Point of Sale 12 SP2-CLIENT | Affected |
| SUSE Linux Enterprise Real Time 15 SP2 | Affected |
| SUSE Linux Enterprise Real Time 15 SP3 | Affected |
| SUSE Linux Enterprise Real Time 15 SP4 | Affected |
| SUSE Linux Enterprise Server 12 SP2 | Affected |
| SUSE Linux Enterprise Server 12 SP2-BCL | Affected |
| SUSE Linux Enterprise Server 12 SP2-ESPOS | Affected |
| SUSE Linux Enterprise Server 12 SP2-LTSS | Affected |
| SUSE Linux Enterprise Server 12 SP3 | Affected |
| SUSE Linux Enterprise Server 12 SP3-BCL | Affected |
| SUSE Linux Enterprise Server 12 SP3-ESPOS | Affected |
| SUSE Linux Enterprise Server 12 SP3-LTSS | Affected |
| SUSE Linux Enterprise Server 12 SP4 | Affected |
| SUSE Linux Enterprise Server 12 SP4-ESPOS | Affected |
| SUSE Linux Enterprise Server 12 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 | Affected |
| SUSE Linux Enterprise Server 15 SP1 | Affected |
| SUSE Linux Enterprise Server 15 SP1-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP2 | Affected |
| SUSE Linux Enterprise Server 15 SP2-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP3 | Affected |
| SUSE Linux Enterprise Server 15 SP3-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise Server 15-LTSS | Affected |
| SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| SUSE Linux Enterprise Software Development Kit 12 SP2 | Affected |
| SUSE Linux Enterprise Software Development Kit 12 SP3 | Affected |
| SUSE Linux Enterprise Software Development Kit 12 SP4 | Affected |
| SUSE Linux Enterprise Software Development Kit 12 SP5 | Affected |
| SUSE Manager Proxy 4.0 | Affected |
| SUSE Manager Proxy 4.1 | Affected |
| SUSE Manager Proxy 4.2 | Affected |
| SUSE Manager Retail Branch Server 4.0 | Affected |
| SUSE Manager Retail Branch Server 4.1 | Affected |
| SUSE Manager Retail Branch Server 4.2 | Affected |
| SUSE Manager Server 4.0 | Affected |
| SUSE Manager Server 4.1 | Affected |
| SUSE Manager Server 4.2 | Affected |
| SUSE OpenStack Cloud 7 | Affected |
| SUSE OpenStack Cloud 8 | Affected |
| SUSE OpenStack Cloud 9 | Affected |
| SUSE OpenStack Cloud Crowbar 8 | Affected |
| SUSE OpenStack Cloud Crowbar 9 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36804
GHSA-cj3w-jxwm-h5h8