Skip to main content

GStreamer CVE-2026-59691

| EUVDEUVD-2026-42569 HIGH
Out-of-bounds Write (CWE-787)
2026-07-09 redhat GHSA-g4ff-54hw-hj6r
7.1
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
vuln.today AI
7.1 HIGH

Victim's client must connect out to a malicious server (UI:R, AV:N, PR:N); confirmed impact is process crash (A:H) with limited/uncertain integrity impact (I:L) and no confidentiality loss.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 11:23 vuln.today
CVE Published
Jul 09, 2026 - 09:34 nvd
HIGH 7.1

DescriptionCVE.org

A heap buffer overflow vulnerability was found in GStreamer's rfbsrc plugin. When a client connects to a malicious RFB/VNC server that advertises a 16bpp framebuffer and sends Hextile-encoded updates, the Hextile background fill path writes 32-bit pixel values into a buffer allocated for 16-bit pixels. This type mismatch causes an out-of-bounds heap write that can lead to denial of service (process crash) and potential memory corruption.

AnalysisAI

Heap buffer overflow in GStreamer's rfbsrc (RFB/VNC source) plugin lets a malicious VNC server crash or corrupt the memory of any client that connects to it. When the server advertises a 16bpp framebuffer and sends Hextile-encoded updates, the background-fill path writes 32-bit pixels into a 16-bit buffer, producing an out-of-bounds heap write. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Stand up malicious RFB/VNC server
Delivery
Lure victim's rfbsrc client to connect
Exploit
Advertise 16bpp framebuffer
Execution
Send Hextile background-fill update
Persist
Write 32-bit pixels into 16-bit heap buffer
Impact
Out-of-bounds heap write crashes/corrupts client

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to use GStreamer's rfbsrc element and to initiate an outbound connection to an attacker-controlled RFB/VNC server (UI:R in the CVSS vector - the client must connect; the attacker cannot push to an unsolicited client). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H, score 7.1) is internally consistent with the description: network reachable, no privileges, but user interaction is required because the victim's client must initiate a connection to the malicious server - the attacker cannot reach the client unsolicited. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up a malicious VNC/RFB server configured to advertise a 16bpp framebuffer and to send Hextile-encoded background-fill updates, then lures a victim into pointing their GStreamer rfbsrc-based client at that server (e.g., a media pipeline, monitoring dashboard, or automation that connects out). On connection, the crafted update triggers the 32-bit-into-16-bit heap write, crashing the client process and potentially corrupting heap memory. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the GStreamer update once your distribution ships it, tracking the upstream fix at https://gitlab.freedesktop.org/gstreamer/gstreamer-security/-/merge_requests/100 and, for Red Hat systems, the errata linked from https://access.redhat.com/security/cve/CVE-2026-59691 and https://bugzilla.redhat.com/show_bug.cgi?id=2497343. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running GStreamer with rfbsrc plugin enabled and restrict network connectivity to whitelisted VNC servers via firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Share

CVE-2026-59691 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy