Skip to main content

GStreamer gst-plugins-ugly EUVDEUVD-2026-36802

| CVE-2026-53704 HIGH
Out-of-bounds Read (CWE-125)
2026-06-15 redhat GHSA-j3jj-fwr8-4v9m
7.1
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
vuln.today AI
7.1 HIGH

Malicious file delivered over network (AV:N), no auth needed (PR:N), but victim must open the file (UI:R); impact is hang/crash (A:H) with only limited adjacent-memory read (C:L), no integrity effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
7.1 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 19:50 vuln.today
CVE Published
Jun 15, 2026 - 19:10 cve.org
HIGH 7.1

DescriptionCVE.org

A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using re_skip_pascal_string() without validating that offsets remain within the mapped buffer. Additionally, the element count controlling the parsing loop is read from attacker-controlled data without validation, which can cause an infinite loop. A crafted RealMedia file can cause the application to crash, hang, or potentially read limited adjacent memory contents.

AnalysisAI

Out-of-bounds read and denial-of-service in GStreamer's RealMedia demuxer (gst-plugins-ugly) allows remote attackers to crash, hang, or potentially leak limited adjacent memory when a victim opens a maliciously crafted RealMedia (.rm) file. The flaw stems from unvalidated offsets in re_skip_pascal_string() and an attacker-controlled loop counter in the FILEINFO metadata parser. No public exploit identified at time of analysis, and the CVE is not on the CISA KEV list.

Technical ContextAI

GStreamer is the multimedia framework used pervasively across Linux desktops (GNOME, KDE), embedded devices, and server-side media pipelines; gst-plugins-ugly contains the RealMedia (rmdemux) element that demultiplexes legacy RealMedia container files. The root cause is CWE-125 (Out-of-bounds Read): the demuxer's FILEINFO section parser uses re_skip_pascal_string() to walk variable-name/value Pascal-style length-prefixed strings without checking that the cumulative offset stays within the mapped GstBuffer. Compounding the issue, the number of FILEINFO entries iterated by the parsing loop is taken directly from attacker-controlled bytes with no sanity bound, enabling either an infinite/extremely long loop (CPU exhaustion) or reads past the buffer end into adjacent heap memory, depending on file content.

RemediationAI

No vendor-released patch identified at time of analysis in the provided intelligence; monitor https://access.redhat.com/security/cve/CVE-2026-53704 and https://bugzilla.redhat.com/show_bug.cgi?id=2487614 for updated gst-plugins-ugly RPMs and apply them via dnf/yum once published. Until a patched package is available, compensating controls include uninstalling or masking the gst-plugins-ugly package on systems that do not need RealMedia playback (trade-off: legacy .rm/.ra/.rv files will no longer play), removing or chmod-disabling the rmdemux GStreamer plugin file specifically while keeping the rest of gst-plugins-ugly functional, disabling GNOME/KDE file-manager automatic thumbnailing for video files (trade-off: loss of preview thumbnails) to prevent silent triggering, and instructing users not to open untrusted .rm files received via email or download. Mail and web gateways can additionally block or quarantine RealMedia MIME types (application/vnd.rn-realmedia, audio/x-pn-realaudio) at the perimeter.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Server 16.1 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected

Share

EUVD-2026-36802 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy