Skip to main content

GStreamer gst-plugins-ugly CVE-2026-53703

| EUVDEUVD-2026-36801 HIGH
Out-of-bounds Read (CWE-125)
2026-06-15 redhat GHSA-hghw-p2mw-fvch
7.1
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
vuln.today AI
7.1 HIGH

File is delivered over the network and opened by a user (AV:N, UI:R); no auth needed (PR:N); reliably crashes the pipeline (A:H) with limited OOB leak into metadata (C:L), no integrity impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
7.1 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 19:51 vuln.today
CVE Published
Jun 15, 2026 - 19:10 cve.org
HIGH 7.1

DescriptionCVE.org

A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly). When processing a RealMedia (.rm) file, the demuxer parses MDPR (media properties) chunks to configure audio streams. For audio stream header versions 4 and 5, the parser reads fields such as codec type, packet size, sample rate, channel count, and extra codec data length from fixed offsets within the chunk without first checking that the chunk contains enough data. If a malicious file provides an MDPR chunk that is too small to contain a complete audio stream header, the parser reads beyond the end of the buffer. This can cause the application to crash. In some cases, bytes read past the buffer boundary may be incorporated into stream metadata, which could result in limited information disclosure.

AnalysisAI

Out-of-bounds read in the GStreamer RealMedia demuxer (gst-plugins-ugly) allows a maliciously crafted .rm file to crash the consuming application and potentially leak small amounts of adjacent heap memory through stream metadata. The flaw affects Red Hat Enterprise Linux 7, 8, 9, and 10 systems shipping the vulnerable demuxer, and exploitation requires a user to open or otherwise process the file (UI:R). There is no public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Technical ContextAI

GStreamer's gst-plugins-ugly bundle contains the RealMedia (.rm) demuxer, which parses container-level chunks including MDPR (Media Properties) chunks describing each stream. For audio header versions 4 and 5, the demuxer reads codec type, packet size, sample rate, channel count, and extra codec data length from fixed byte offsets relative to the chunk start. The root cause is CWE-125 (Out-of-bounds Read): the code does not validate that the MDPR chunk is large enough to contain a complete audio stream header before indexing into it, so a short chunk causes the parser to dereference bytes past the buffer boundary. Because some of those out-of-bounds bytes are copied into the GStreamer stream's metadata structures, they can be surfaced back to applications that introspect stream tags or caps, creating a narrow information-disclosure channel in addition to the more reliable crash.

RemediationAI

No vendor-released patch identified at time of analysis from the supplied data - the Red Hat CVE page and Bugzilla entry are referenced but no fixed package version is included, so administrators should monitor https://access.redhat.com/security/cve/CVE-2026-53703 and https://bugzilla.redhat.com/show_bug.cgi?id=2487613 for an RHSA and apply the gst-plugins-ugly update via dnf/yum as soon as it ships. As compensating controls until a patch is available, uninstall gst-plugins-ugly on systems that do not need RealMedia playback (side effect: loss of .rm/.ra and other ugly-bundle codec support); block or strip .rm/.ra attachments at the mail gateway and proxy (side effect: legitimate but rare RealMedia content is rejected); and instruct users not to open .rm files from untrusted sources, particularly in file managers or browsers that auto-probe media via GStreamer thumbnailers (side effect: relies on user discipline). On servers, disabling GStreamer-based thumbnailing services (e.g. tracker-miner, tumbler) removes the most common path by which a crafted file could be processed without explicit user action.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Server 16.1 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected

Share

CVE-2026-53703 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy