Description
GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the handling of palette data in AVI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28854.
Published: 2026-03-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is an integer overflow in GStreamer that occurs while processing palette data in AVIfiles formatted with the RIFF container. The flaw is caused by a lack of proper validation of user‑supplied data, allowing an attacker to trigger the overflow and overwrite memory. This attack vector can be leveraged to execute arbitrary code in the context of the current process. The weakness is classified as CWE‑190 and results in remote code execution, giving the attacker the same privileges as the GStreamer consumer application.

Affected Systems

Vendor: GStreamer; Product: GStreamer. Specific version numbers are not listed in the data, so any installation that contains the relevant library components is potentially susceptible. Organizations using GStreamer for media handling should verify whether their deployed version includes the affected palette parsing logic.

Risk and Exploitability

The CVSS score of 7.8 marks this issue as high severity, while an EPSS score of less than 1% indicates a low likelihood of being actively exploited. It is not currently included in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires that the attacker be able to supply a crafted AVI file or similar input that triggers the palette parsing routine. If successful, the attacker achieves full control of the process, potentially leading to system compromise.

Generated by OpenCVE AI on March 17, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest GStreamer update that includes the CVE‑2026‑2921 fix.
  • If a patch is not yet available, configure applications to reject or sandbox untrusted AVI files and limit the privileges of any processes that invoke GStreamer.
  • Enable logging of memory usage anomalies and monitor for signs of unexpected code execution by GStreamer.

Generated by OpenCVE AI on March 17, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4514-1 gst-plugins-base1.0 security update
Debian DSA Debian DSA DSA-6167-1 gst-plugins-base1.0 security update
Ubuntu USN Ubuntu USN USN-8130-1 GStreamer Base Plugins vulnerability
History

Sun, 29 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
References

Tue, 17 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 16 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gstreamer
Gstreamer gstreamer
Vendors & Products Gstreamer
Gstreamer gstreamer

Fri, 13 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of palette data in AVI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28854.
Title GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability
Weaknesses CWE-190
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Gstreamer Gstreamer
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-03-29T12:09:12.529Z

Reserved: 2026-02-20T22:26:53.743Z

Link: CVE-2026-2921

cve-icon Vulnrichment

Updated: 2026-03-29T12:09:12.529Z

cve-icon NVD

Status : Modified

Published: 2026-03-16T14:19:32.730

Modified: 2026-03-29T13:16:59.450

Link: CVE-2026-2921

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-13T20:41:50Z

Links: CVE-2026-2921 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:38Z

Weaknesses