oss-sec mailing list archives

10+ CVEs in GStreamer


From: Solar Designer <solar () openwall com>
Date: Mon, 16 Mar 2026 03:58:16 +0100

Hi,

As described on the homepage:

https://gstreamer.freedesktop.org

GStreamer is a library for constructing graphs of media-handling
components. The applications it supports range from simple Ogg/Vorbis
playback, audio/video streaming to complex audio (mixing) and video
(non-linear editing) processing.

News - GStreamer 1.26.11 old-stable bug fix release   2026-03-10 17:00

The GStreamer team is pleased to announce another bug fix release in
the now old-stable 1.26 release series of your favourite cross-platform
multimedia framework!

Please note that the 1.26 old-stable series is no longer actively
maintained and has been superseded by the GStreamer 1.28 stable series
now.

This release only contains bugfixes, and it should be safe to update
from 1.26.x.

Highlighted bugfixes:

    Security fixes for the JPEG, H.265 and H.266 video parsers and the
DVB subtitle overlay
    Security fixes for the ASF, RealMedia and QuickTime/MP4 demuxers and
RIFF library
    Security fixes for the WAV audio parser and the RTP QDM2 depayloader

GStreamer 1.28.1 stable bug fix release   2026-02-26 02:00

The GStreamer team is pleased to announce the first bug fix release in
the new stable 1.28 release series of your favourite cross-platform
multimedia framework!

This release only contains bug fixes as well as a number of security
fixes. It should be safe to update from 1.28.0, and we recommend you do
so at your earliest convenience.

Highlighted bugfixes:

    Various security fixes and playback fixes

The news story at:

https://www.opennet.me/opennews/art.shtml?num=64964

originally in Russian explains GStreamer usage as follows, translated to
English here:

The GStreamer library is used to parse multimedia files in Nautilus
(GNOME Files), GNOME Videos, and Rhythmbox, as well as in the
localsearch search engine (previously known as tracker-miners) developed
by the GNOME project. This engine is installed in many distributions as
a dependency of the tracker-extract package, which GNOME uses to
automatically parse metadata in new files. Among other things, this
service indexes all files in the user's home directory without any user
interaction. Therefore, to perform an attack, simply create a specially
crafted multimedia file in the user's home directory, and the
vulnerability will be exploited during its automatic indexing.

In most GNOME distributions, localsearch components (tracker-miners) are
enabled by default and loaded as a hard dependency of the Nautilus file
manager (GNOME Files). Starting with GNOME 46, the localsearch process
runs in sandbox isolation. To disable metadata extraction, you can
delete the rules files from the /usr/share/localsearch3/extract-rules/
or /usr/share/tracker3-miners/extract-rules/ directory.

There are 10 GStreamer CVEs recently listed at:

https://www.zerodayinitiative.com/advisories/published/

and even more at:

https://gstreamer.freedesktop.org/security/

so I'll quote from the latter page:

GStreamer-SA-2026-0012        H.265 video parser potential denial-of-service  2026-02-25 23:59

GStreamer-SA-2026-0011
CVE-2026-3084
ZDI-CAN-28910         Out-of-bounds write in H.266 video parser when parsing picture partitions       2026-02-25 23:59

GStreamer-SA-2026-0010
CVE-2026-3081
ZDI-CAN-28839         Stack buffer overflow in H.266 video parser when parsing pic_timing SEIs        2026-02-25 23:59

GStreamer-SA-2026-0009
CVE-2026-3086
ZDI-CAN-28911         Out-of-bounds buffer write in H.266 video parser when parsing Adaptation Parameter Set  
2026-02-25 23:59

GStreamer-SA-2026-0008
CVE-2026-3083, CVE-2026-3085
ZDI-CAN-28851, ZDI-CAN-28850  Multiple vulnerabilities in RTP QDM2 depayloader element        2026-02-25 23:59

GStreamer-SA-2026-0007
CVE-2026-2923
ZDI-CAN-28838         Out-of-bounds read and write in DVB Subtitle Decoder    2026-02-25 23:59

GStreamer-SA-2026-0006
CVE-2026-2920
ZDI-CAN-28843         Out-of-bounds write in ASF Demuxer      2026-02-25 23:59

GStreamer-SA-2026-0005
CVE-2026-2922
ZDI-CAN-28845         Out-of-bounds write in RealMedia Demuxer        2026-02-25 23:59

GStreamer-SA-2026-0004
CVE-2026-2921
ZDI-CAN-28854         Integer overflow in RIFF parser         2026-02-25 23:59

GStreamer-SA-2026-0003
CVE-2026-3082
ZDI-CAN-28840         Heap-based Buffer Overflow on Huffman tables reading in JPEG parser     2026-02-25 23:59

GStreamer-SA-2026-0002        Out-of-bounds read in MP4 demuxer       2026-02-25 23:59

GStreamer-SA-2026-0001
CVE-2026-1940         Out-of-bounds read in WAV parser        2026-02-25 23:59

Alexander


Current thread: