Skip to main content

GStreamer gst-plugins-good CVE-2026-53705

| EUVDEUVD-2026-36799 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-06-15 redhat GHSA-rc6x-6x52-9whj
7.6
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
vuln.today AI
7.6 HIGH

Network-delivered malicious file requires victim to open it (UI:R), no privileges needed; heap corruption reliably crashes the process (A:H) with plausible memory disclosure and code execution potential (C:L/I:L).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Red Hat
7.6 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 19:50 vuln.today
CVE Published
Jun 15, 2026 - 19:10 cve.org
HIGH 7.6

DescriptionCVE.org

A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good. When processing a specially crafted WavPack file, an integer overflow in the buffer size calculation (4 * block_samples * channels) in gst_wavpack_dec_handle_frame() causes a very small heap allocation. The WavPack library then writes decoded audio samples far beyond the allocated buffer, resulting in heap memory corruption. This affects both 32-bit and 64-bit systems since the arithmetic is performed in 32-bit integers before promotion to the allocation size type. A remote attacker could use this flaw to crash an application or potentially execute arbitrary code by convincing a user to open a malicious WavPack audio file.

AnalysisAI

Heap memory corruption in the WavPack audio decoder of GStreamer's gst-plugins-good package allows remote attackers to crash applications or potentially achieve arbitrary code execution when a victim opens a malicious WavPack (.wv) audio file. The flaw, tracked as CVE-2026-53705 and reported by Red Hat, affects Red Hat Enterprise Linux versions 7, 8, 9, and 10, and stems from an integer overflow during buffer size calculation that produces an undersized heap allocation later overrun by decoded samples. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the multimedia decoder attack surface combined with RCE potential makes it a meaningful patching priority.

Technical ContextAI

GStreamer is the dominant Linux multimedia framework, and gst-plugins-good ships the WavPack decoder element used by media players, browsers, file managers (for thumbnailing/preview), and indexing daemons such as Tracker. The root cause is CWE-190 (Integer Overflow or Wraparound): gst_wavpack_dec_handle_frame() computes the output buffer size as 4 * block_samples * channels using 32-bit signed arithmetic before promoting to the wider allocation-size type. Attacker-controlled header fields can drive that multiplication to wrap, yielding a tiny heap allocation; the upstream WavPack library then writes decoded PCM samples based on the original (unwrapped) dimensions, producing a classic heap buffer overflow adjacent to allocator metadata and neighboring chunks. Because the overflow happens before promotion to size_t, both 32-bit and 64-bit builds are affected identically.

RemediationAI

No vendor-released patch identified at time of analysis - the Red Hat security page and Bugzilla 2487615 are the canonical tracking URLs and should be monitored for the fixed gst-plugins-good package NVR for each of RHEL 7, 8, 9, and 10. Once errata publish, update gst-plugins-good with 'dnf update gst-plugins-good' (or 'yum update' on RHEL 7 ELS) and restart any long-running media or indexing services (tracker-miner, rygel, browsers, media players) so they reload the patched plugin. As compensating controls until patches land, you can remove or rename the WavPack decoder element (e.g., /usr/lib64/gstreamer-1.0/libgstwavpack.so) which prevents the vulnerable code path at the cost of breaking legitimate .wv playback, disable desktop thumbnailing/auto-preview for audio in GNOME/KDE file managers, block .wv attachments at the mail gateway, and advise users not to open WavPack files from untrusted sources.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected

Share

CVE-2026-53705 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy