Description
GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the processing of video packets. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28845.
Published: 2026-03-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an out‑of‑bounds write in the GStreamer RealMedia demuxer that allows a remote attacker to write past the end of an allocated buffer. This flaw can lead to arbitrary code execution in the context of the current process. The weakness is identified as CWE‑787 and is a classic example of an improper bounds check leading to memory corruption.

Affected Systems

Affected products are GStreamer GStreamer as listed by the CNA. No specific version range is provided in the CNA affected version data, so all installations of GStreamer that include the RealMedia demuxer component may be vulnerable. The common platform enumeration cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:* confirms the breadth of impact across all GStreamer installations.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity. The EPSS score is below 1%, suggesting a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw requires interaction with the demuxer to be triggered, the likely attack vector would involve delivery of a crafted RealMedia file to an application that processes such files. An attacker could exploit this remotely if the target application exposes a channel for receiving user‑supplied media content.

Generated by OpenCVE AI on March 17, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether a patch is available from GStreamer and apply it immediately.
  • If no patch is available, restrict network exposure to applications that use the GStreamer RealMedia demuxer.
  • Monitor system logs for abnormal activity involving the demuxer.
  • Consider disabling or sandboxing the component if legitimate use is not required.

Generated by OpenCVE AI on March 17, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4516-1 gst-plugins-ugly1.0 security update
Debian DSA Debian DSA DSA-6191-1 gst-plugins-ugly1.0 security update
History

Tue, 17 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gstreamer
Gstreamer gstreamer
Vendors & Products Gstreamer
Gstreamer gstreamer

Fri, 13 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of video packets. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28845.
Title GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution Vulnerability
Weaknesses CWE-787
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Gstreamer Gstreamer
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-03-18T03:55:38.961Z

Reserved: 2026-02-20T22:27:05.349Z

Link: CVE-2026-2922

cve-icon Vulnrichment

Updated: 2026-03-16T20:24:51.916Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:32.877

Modified: 2026-03-17T18:59:21.860

Link: CVE-2026-2922

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-13T20:38:49Z

Links: CVE-2026-2922 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:44Z

Weaknesses