Description
GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the processing of stream headers within ASF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28843.
Published: 2026-03-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

Key detail from CVE description: GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. The flaw exists in the processing of ASF stream headers, where user-supplied data is copied into a fixed-length heap buffer without proper length validation (Key detail from vendor commit: The specific flaw exists within the processing of stream headers within ASF files). This results in a heap-based buffer overflow (CWE-120, CWE-122) that allows an attacker to execute arbitrary code in the context of the current process (Key detail from CVE description: An attacker can leverage this vulnerability to execute code). The primary impact is that a malicious actor can gain code execution privileges on any system that uses the vulnerable GStreamer library to process ASF files.

Affected Systems

The affected product is GStreamer, as identified by the CPE cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. Affected vendors and products list only GStreamer (Key detail from known CNA vendors/products). No specific affected version information is provided in the known CNA affected version data (Key detail from known CNA affected version: not available). Therefore, all GStreamer installations that parse ASF files are potentially vulnerable unless mitigated by a patch or runtime restriction.

Risk and Exploitability

Key detail from scoring data: CVSS score 7.8 indicates a high severity, and EPSS score <1% suggests a low current exploitation probability (Key detail from scoring data: EPSS Score: < 1%). The vulnerability is not listed in the CISA KEV catalog (Key detail from scoring data: KEV: not listed). The likely attack vector is remote exploitation via a crafted ASF file delivered over network or local ingestion; this inference is based on the requirement for interaction with the library (Key detail from CVE description). An attacker could supply a malformed ASF header to trigger the heap overflow and gain code execution. Since no official workaround is listed, monitoring input traffic and applying a patch are the primary defensive measures.

Generated by OpenCVE AI on March 17, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply the latest GStreamer patch that addresses the ASF demuxer buffer overflow.
  • If a patch is unavailable, disable or bypass the ASF demuxer in affected applications or reject malformed ASF files.
  • Monitor incoming ASF files for anomalous header lengths and log any attempts to process oversized headers.
  • Keep the GStreamer library and its dependencies up to date to receive future security fixes.
  • Notify security teams of any suspicious ASF-related activity and maintain visibility into potential exploitation attempts.

Generated by OpenCVE AI on March 17, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4516-1 gst-plugins-ugly1.0 security update
Debian DSA Debian DSA DSA-6191-1 gst-plugins-ugly1.0 security update
History

Tue, 17 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gstreamer
Gstreamer gstreamer
Vendors & Products Gstreamer
Gstreamer gstreamer

Fri, 13 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of stream headers within ASF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28843.
Title GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Gstreamer Gstreamer
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-03-18T03:55:37.859Z

Reserved: 2026-02-20T22:26:46.339Z

Link: CVE-2026-2920

cve-icon Vulnrichment

Updated: 2026-03-16T20:23:53.849Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:31.637

Modified: 2026-03-17T18:58:45.980

Link: CVE-2026-2920

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-13T20:38:27Z

Links: CVE-2026-2920 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:45Z

Weaknesses