Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Victim's client must connect out to a malicious server (UI:R, AV:N, PR:N); confirmed impact is process crash (A:H) with limited/uncertain integrity impact (I:L) and no confidentiality loss.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionCVE.org
A heap buffer overflow vulnerability was found in GStreamer's rfbsrc plugin. When a client connects to a malicious RFB/VNC server that advertises a 16bpp framebuffer and sends Hextile-encoded updates, the Hextile background fill path writes 32-bit pixel values into a buffer allocated for 16-bit pixels. This type mismatch causes an out-of-bounds heap write that can lead to denial of service (process crash) and potential memory corruption.
AnalysisAI
Heap buffer overflow in GStreamer's rfbsrc (RFB/VNC source) plugin lets a malicious VNC server crash or corrupt the memory of any client that connects to it. When the server advertises a 16bpp framebuffer and sends Hextile-encoded updates, the background-fill path writes 32-bit pixels into a 16-bit buffer, producing an out-of-bounds heap write. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to use GStreamer's rfbsrc element and to initiate an outbound connection to an attacker-controlled RFB/VNC server (UI:R in the CVSS vector - the client must connect; the attacker cannot push to an unsolicited client). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H, score 7.1) is internally consistent with the description: network reachable, no privileges, but user interaction is required because the victim's client must initiate a connection to the malicious server - the attacker cannot reach the client unsolicited. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker stands up a malicious VNC/RFB server configured to advertise a 16bpp framebuffer and to send Hextile-encoded background-fill updates, then lures a victim into pointing their GStreamer rfbsrc-based client at that server (e.g., a media pipeline, monitoring dashboard, or automation that connects out). On connection, the crafted update triggers the 32-bit-into-16-bit heap write, crashing the client process and potentially corrupting heap memory. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the GStreamer update once your distribution ships it, tracking the upstream fix at https://gitlab.freedesktop.org/gstreamer/gstreamer-security/-/merge_requests/100 and, for Red Hat systems, the errata linked from https://access.redhat.com/security/cve/CVE-2026-59691 and https://bugzilla.redhat.com/show_bug.cgi?id=2497343. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running GStreamer with rfbsrc plugin enabled and restrict network connectivity to whitelisted VNC servers via firewall rules. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Enterprise Linux 10
View allRemote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42569
GHSA-g4ff-54hw-hj6r