Skip to main content

gst-plugins-bad EUVD-2026-36295

| CVE-2026-53702 MEDIUM
Out-of-bounds Write (CWE-787)
2026-06-11 redhat GHSA-gmqw-mqj2-6j9j
Memory Corruption Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9
6.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
MEDIUM
qualitative
NVD
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network-delivered crafted H.265 triggers crash without attacker privileges; mandatory user interaction (file open) confirmed; impact is availability-only with no confirmed confidentiality or integrity loss.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 11, 2026 - 19:26 vuln.today
CVE Published
Jun 11, 2026 - 18:15 nvd
MEDIUM 6.5

DescriptionNVD

A stack buffer overflow flaw was found in the GStreamer H.265 codec parser library (gst-plugins-bad). When parsing a buffering period SEI message, the parser uses an incorrect loop bound derived from cpb_cnt_minus1[i] (the loop index) instead of the sub-layer 0 CPB count cpb_cnt_minus1[0] from the referenced Sequence Parameter Set. A crafted H.265 video file or stream can cause the parser to write beyond the bounds of stack-allocated CPB delay arrays, resulting in a crash or potential stack memory corruption.

AnalysisAI

Stack buffer overflow in GStreamer's H.265/HEVC codec parser (gst-plugins-bad) allows remote unauthenticated attackers to crash GStreamer-based applications by delivering a crafted H.265 video file or stream that a user opens. The root cause is an incorrect loop bound in the buffering period SEI message parser: the parser mistakenly uses cpb_cnt_minus1[i] (the current loop index variable) rather than cpb_cnt_minus1[0] from the referenced Sequence Parameter Set, causing the loop to iterate beyond the bounds of stack-allocated CPB delay arrays and corrupt stack memory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft H.265 file with malformed buffering period SEI
Delivery
Deliver to target via email, web, or stream
Exploit
User opens video in GStreamer-based application
Execution
Parser reads cpb_cnt_minus1[i] as loop bound instead of cpb_cnt_minus1[0]
Persist
Stack CPB delay array overwritten
Impact
Application crashes (DoS)
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target system has gst-plugins-bad installed with H.265/HEVC parsing enabled, and that a user actively opens or streams a crafted H.265 video file from an attacker-controlled source (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) accurately characterizes this as a medium-severity availability impact with no confidentiality or integrity consequences confirmed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker constructs a malicious H.265 video file embedding a buffering period SEI message with cpb_cnt_minus1 values carefully chosen to trigger more loop iterations than the stack buffer can hold, then delivers it to a target via email attachment, web download, or a streaming endpoint. A user on an affected RHEL system opens the file in a GStreamer-based media player (such as Totem, Rhythmbox with video support, or a browser using GStreamer backends), causing the parser to overflow its CPB delay stack buffer and crash the application. …
Remediation Monitor the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-53702 and the associated Bugzilla ticket at https://bugzilla.redhat.com/show_bug.cgi?id=2487612 for a patched gst-plugins-bad package release and apply it to all affected RHEL 7, 8, 9, and 10 systems when available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11788 HIGH
7.5 Jun 09

Remote denial of service in 389 Directory Server (Red Hat Directory Server 11/12/13 and Red Hat Enterprise Linux 6 throu
CVE-2026-48914 MEDIUM
6.7 Jun 12

Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The

CVE-2026-11789 MEDIUM
6.5 Jun 09

Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP servic
CVE-2026-11786 MEDIUM
6.5 Jun 09

Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attack
CVE-2026-11611 MEDIUM
6.5 Jun 08

Denial of service in Red Hat 389 Directory Server's Content Synchronization persistent search plugin enables authenticat

Share

EUVD-2026-36295 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy