Enterprise Linux Workstation
Monthly
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA.
This is an out-of-bounds read vulnerability in GStreamer's gst-plugins-bad MPEG demuxer component that allows remote attackers to crash applications by sending specially crafted MPEG Program Stream Map (PSM) data. The vulnerability affects GStreamer installations across multiple Linux distributions including Debian 8.0/9.0 and Red Hat Enterprise Linux 7.x variants. With an EPSS score of 6.52% (91st percentile), this vulnerability has a moderately elevated probability of exploitation in the wild, though no active exploitation or KEV listing is indicated.
The GStreamer multimedia framework contains an uninitialized memory vulnerability in its VMNC (VMware VNC) decoder that allows remote attackers to read sensitive information from process memory. When processing specially crafted VMNC video files (such as a single-frame movie that doesn't draw to the canvas), the decoder exposes uninitialized memory contents that may contain passwords, cryptographic keys, or other sensitive data from the application's memory space. A proof-of-concept exploit exists and has been publicly disclosed, with an EPSS score of 1.28% indicating moderate real-world exploitation likelihood.
A buffer over-read vulnerability exists in GStreamer's H.264 video decoding implementation that affects Mozilla Firefox, Firefox ESR, Thunderbird, and SeaMonkey on Linux systems. Remote attackers can trigger a denial of service (application crash) or potentially execute arbitrary code by crafting malicious H.264 video data within an m4v file. With an EPSS score of 7.61% (92nd percentile) and patches available from vendors, this vulnerability represents a moderate exploitation risk despite its CVSS 6.8 rating, indicating real-world prioritization is warranted for affected Linux deployments.
A Cross-site request forgery vulnerability exists in ipa/session/login_password in all supported versions of IPA.
This is an out-of-bounds read vulnerability in GStreamer's gst-plugins-bad MPEG demuxer component that allows remote attackers to crash applications by sending specially crafted MPEG Program Stream Map (PSM) data. The vulnerability affects GStreamer installations across multiple Linux distributions including Debian 8.0/9.0 and Red Hat Enterprise Linux 7.x variants. With an EPSS score of 6.52% (91st percentile), this vulnerability has a moderately elevated probability of exploitation in the wild, though no active exploitation or KEV listing is indicated.
The GStreamer multimedia framework contains an uninitialized memory vulnerability in its VMNC (VMware VNC) decoder that allows remote attackers to read sensitive information from process memory. When processing specially crafted VMNC video files (such as a single-frame movie that doesn't draw to the canvas), the decoder exposes uninitialized memory contents that may contain passwords, cryptographic keys, or other sensitive data from the application's memory space. A proof-of-concept exploit exists and has been publicly disclosed, with an EPSS score of 1.28% indicating moderate real-world exploitation likelihood.
A buffer over-read vulnerability exists in GStreamer's H.264 video decoding implementation that affects Mozilla Firefox, Firefox ESR, Thunderbird, and SeaMonkey on Linux systems. Remote attackers can trigger a denial of service (application crash) or potentially execute arbitrary code by crafting malicious H.264 video data within an m4v file. With an EPSS score of 7.61% (92nd percentile) and patches available from vendors, this vulnerability represents a moderate exploitation risk despite its CVSS 6.8 rating, indicating real-world prioritization is warranted for affected Linux deployments.