Skip to main content

GStreamer gst-plugins-bad EUVDEUVD-2026-36798

| CVE-2026-52719 HIGH
Out-of-bounds Read (CWE-125)
2026-06-15 redhat GHSA-33x5-f9c4-3q24
7.1
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
vuln.today AI
7.1 HIGH

JPEG arrives over the network but the victim must open it (UI:R), no auth needed (PR:N); OOB read crashes the decoder (A:H) and may leak limited adjacent memory (C:L) with no integrity impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
7.1 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 19:53 vuln.today
CVE Published
Jun 15, 2026 - 19:10 cve.org
HIGH 7.1

DescriptionCVE.org

An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially crafted JPEG file, causing downstream parsing to read beyond the provided input buffer, leading to a crash or potential information disclosure.

AnalysisAI

Out-of-bounds read in the VA JPEG decoder shipped in GStreamer's gst-plugins-bad allows a remote attacker to crash the decoder or potentially leak adjacent memory contents when a victim opens a maliciously crafted JPEG file. The flaw stems from the JPEG parser trusting a segment-length value from the bitstream without verifying it fits within the buffer, and affects Red Hat Enterprise Linux 6 through 10 where the plugin is consumed. There is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Technical ContextAI

GStreamer is the multimedia framework used across the GNOME desktop and many Linux media pipelines; gst-plugins-bad contains the VA-API (Video Acceleration) JPEG decoder element that hands compressed JPEG segments to hardware-accelerated decoding. JPEG bitstreams are organized as a series of marker segments where each marker is followed by a 16-bit length field describing the size of the segment payload. CWE-125 (Out-of-bounds Read) applies here because the parser reads that declared length and then walks into the segment without confirming the declared size is bounded by the remaining input buffer, so downstream parsing dereferences memory past the end of the supplied data - classically a source of crashes (SIGSEGV) and, when the read lands in mapped pages, of small information leaks fed back into decoded pixel data or error paths.

RemediationAI

No vendor-released patch identified at time of analysis in the supplied data - monitor the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-52719 and Bugzilla 2486353 for fixed gstreamer1-plugins-bad-free package versions for each RHEL stream, and the upstream fix progress at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5104. Until a backport is available, compensating controls are to avoid opening untrusted JPEGs in applications that use GStreamer's VA decoder, disable VA-API JPEG decoding by forcing software JPEG decoding (e.g. setting GST_VAAPI_DISABLE_CODECS or removing/blacklisting the gstreamer-vaapi/gst-plugin-va JPEG element) so that the affected code path is not selected - with the trade-off of losing hardware-accelerated JPEG decoding and slightly higher CPU on image-heavy workloads - and disabling GNOME/Nautilus image thumbnailers in shared file-server contexts to prevent drive-by decoding of attacker-supplied files.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected

Share

EUVD-2026-36798 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy