Skip to main content

GStreamer gst-plugins-good EUVDEUVD-2026-30350

| CVE-2026-46470 MEDIUM
Divide By Zero (CWE-369)
2026-05-14 cve@mitre.org GHSA-7jcp-9qq9-8rjq
Medium
Disputed · 4.0 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
4.0 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
9.1 CRITICAL
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch available
May 14, 2026 - 19:02 EUVD
Analysis Generated
May 14, 2026 - 18:31 vuln.today
CVE Published
May 14, 2026 - 18:16 nvd
MEDIUM 4.0

DescriptionCVE.org

An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate atom data before performing division operations, leading to denial of service due to integer division by zero.

AnalysisAI

Integer division by zero in GStreamer gst-plugins-good before version 1.28.2 allows local attackers to cause denial of service by supplying a maliciously crafted MP4 file with invalid atom data in audio tracks, triggering a crash in the qtdemux_audio_caps parser function without requiring user interaction or elevated privileges.

Technical ContextAI

GStreamer is a multimedia framework that uses plugin architecture for codec and container handling. The isomp4 (ISO Base Media File Format) plugin's qtdemux_audio_caps function parses metadata atoms from MP4 audio tracks to determine codec capabilities. The vulnerability exists in atom data validation logic that fails to check for zero or invalid divisor values before performing integer division operations used to calculate audio parameters such as sample rates or bitrates. CWE-369 (Divide By Zero) indicates the root cause is missing input validation on untrusted MP4 atom data before arithmetic operations.

RemediationAI

Apply vendor patch by upgrading GStreamer gst-plugins-good to version 1.28.2 or later. The fix is available via the official GStreamer security advisory (https://gstreamer.freedesktop.org/security/sa-2026-0018.html) and upstream merge request (https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11243.patch). For systems unable to immediately patch, restrict access to MP4 media file parsing by disabling isomp4 plugin functionality if not required, validating MP4 files before processing using external tools, or running media processing services in sandboxed or containerized environments with limited filesystem access. Note that disabling the plugin may break legitimate MP4 playback workflows.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

EUVD-2026-30350 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy