Description
GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the handling of coordinates. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28838.
Published: 2026-03-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in GStreamer's handling of DVB subtitle coordinates, where improper validation of user-supplied data can lead to a write beyond the end of a buffer. This out-of-bounds write (CWE-787) enables an attacker to execute arbitrary code in the context of the current process, as stated in the vendor description. The impact is a full compromise of the application using the library, potentially affecting confidentiality, integrity, and availability of the host system.

Affected Systems

The affected product is the GStreamer multimedia framework, with all installations that rely on the DVB subtitle component. No specific version range is provided in the data; therefore any installation that has not applied the referenced patch should be considered vulnerable.

Risk and Exploitability

A CVSS score of 7.8 indicates high severity. The EPSS score is less than 1%, suggesting that exploitation is currently rare or not publicly known, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, requiring interaction with the GStreamer library (e.g., playing a crafted media stream), as the description notes that remote attackers can exploit the flaw. While the likelihood appears low, the availability of a remote code execution path warrants prompt attention.

Generated by OpenCVE AI on March 17, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the GStreamer patch referenced in commit 3b8253f447bcc9831dbf643d2c69b205fedbe086
  • Verify that the local GStreamer version is at least the one containing the fix
  • If the patch cannot be applied immediately, isolate the application from untrusted media streams or restrict network access to reduce exposure

Generated by OpenCVE AI on March 17, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4530-1 gst-plugins-bad1.0 security update
Debian DSA Debian DSA DSA-6190-1 gst-plugins-bad1.0 security update
History

Tue, 17 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gstreamer
Gstreamer gstreamer
Vendors & Products Gstreamer
Gstreamer gstreamer

Fri, 13 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of coordinates. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28838.
Title GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution Vulnerability
Weaknesses CWE-787
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Gstreamer Gstreamer
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-03-17T03:55:38.806Z

Reserved: 2026-02-20T22:27:14.230Z

Link: CVE-2026-2923

cve-icon Vulnrichment

Updated: 2026-03-16T20:25:20.173Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:33.013

Modified: 2026-03-17T18:59:35.180

Link: CVE-2026-2923

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-13T20:39:01Z

Links: CVE-2026-2923 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:43Z

Weaknesses