Description
A flaw was found in the GStreamer gst-plugins-bad package. When processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator value, the H.266 parser performs an out-of-bounds read of up to 8 bytes from adjacent memory. This flaw allows an attacker to craft a malicious H.266 video file or stream that, when processed by a GStreamer-based application, could leak limited memory contents through video metadata, potentially exposing sensitive information from the application's address space.
Published: 2026-06-23
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw exists in the GStreamer gst‑plugins‑bad package. The H.266 (VVC) parser performs an out‑of‑bounds read of up to 8 bytes from adjacent memory when it encounters a crafted aspect ratio indicator in a malformed video stream. This allows an attacker to craft a malicious H.266 video file or stream that, when processed by a GStreamer‑based application, can leak limited memory contents through video metadata, potentially exposing sensitive information from the application’s address space. The weakness is classified as CWE‑125.

Affected Systems

The vulnerability is present in Red Hat Enterprise Linux 10, 9, and 8 distributions that include the GStreamer gst‑plugins‑bad package. The data does not specify a precise affected version range; this absence is inferred, and it is safest to assume that all currently available package releases that have not been updated with a known fix may be vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity impact focused on confidentiality. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation. Likely exploits would require a malicious H.266 video file or stream to be processed by a GStreamer‑based application, implying a local or source‑trusted attack vector. The exploit reads up to 8 bytes of adjacent memory, providing only a very limited data leak and no code execution or broader system compromise. Given the lack of an immediately available patch, the risk remains moderate until remediation is applied.

Generated by OpenCVE AI on June 24, 2026 at 10:06 UTC.

Remediation

Vendor Workaround

No mitigation is currently available that meets Red Hat Product Security's standards for usability, deployment, applicability, or stability.

OpenCVE Recommended Actions

  • Update the GStreamer gst‑plugins‑bad package to the latest RHEL release once a fix is available; check Red Hat errata for the vulnerability fix.
  • If a patch is not yet available, isolate or sandbox any applications that process H.266/VVC streams to limit their privileges and memory exposure.
  • Restrict the acceptance of H.266/VVC content to trusted sources only, and validate input before handing it to GStreamer.
  • Monitor application logs and system audit data for anomalous memory access or error patterns that may indicate exploitation attempts.
  • No official workaround is available; continue to monitor vendor updates for a mitigative fix.

Generated by OpenCVE AI on June 24, 2026 at 10:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in the GStreamer gst-plugins-bad package. When processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator value, the H.266 parser performs an out-of-bounds read of up to 8 bytes from adjacent memory. This flaw allows an attacker to craft a malicious H.266 video file or stream that, when processed by a GStreamer-based application, could leak limited memory contents through video metadata, potentially exposing sensitive information from the application's address space.
Title Gstreamer1-plugins-bad: gstreamer1-plugins-bad: global buffer overflow (oob read) in h.266/vvc vui parameter parser
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-125
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-24T13:08:21.927Z

Reserved: 2026-06-22T11:31:30.239Z

Link: CVE-2026-12891

cve-icon Vulnrichment

Updated: 2026-06-24T13:07:08.559Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T00:00:00Z

Links: CVE-2026-12891 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:15:05Z

Weaknesses