Description
GStreamer H.266 Codec Parser Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the parsing of decoding units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28839.
Published: 2026-03-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a stack‑based buffer overflow in GStreamer’s H.266 codec parser. It occurs because the parser fails to validate the length of user‑supplied data before copying it into a fixed‑size stack buffer. When triggered, this flaw can lead to arbitrary code execution in the context of the process that has loaded GStreamer. The weakness corresponds to CWE‑120 (Buffer Copy without Checking Size) and CWE‑121 (Stack‑Based Buffer Overrun).

Affected Systems

The affected product is GStreamer from the GStreamer supplier. No specific version numbers are provided by the CNA; the advisory references commit 2ffdfca2df95a7f605c922d3111e5d5be5314dca. Consequently, any GStreamer release that includes the unpatched H.266 parser—likely versions after the referenced commit—could be vulnerable. Users should verify whether their installed GStreamer matches the commit or check for an applicable patch.

Risk and Exploitability

The CVSS score is 7.8, indicating a high severity impact. The EPSS score is reported as less than 1 %, suggesting that exploitation is currently rare, but it is not impossible. This vulnerability is not listed in the CISA KEV catalog. Attackers must interact with the vulnerable library, and the description implies that an attacker can supply malicious media content. The exact remote vector is inferred from the phrase "Interaction with this library is required to exploit" rather than explicitly stated in the data.

Generated by OpenCVE AI on March 17, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the GStreamer vendor website or official advisories for a patch or updated release that fixes CVE‑2026‑3081.
  • If a patch or new version is available, upgrade GStreamer immediately to remove the vulnerability.
  • In the absence of an official patch, isolate untrusted media streams before feeding them to GStreamer, employing sandboxing or other containment techniques to limit potential damage.
  • Continuously monitor GStreamer security advisories and apply any future fixes as soon as they become available.

Generated by OpenCVE AI on March 17, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6190-1 gst-plugins-bad1.0 security update
History

Tue, 17 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*

Tue, 17 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gstreamer
Gstreamer gstreamer
Vendors & Products Gstreamer
Gstreamer gstreamer

Fri, 13 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description GStreamer H.266 Codec Parser Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of decoding units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28839.
Title GStreamer H.266 Codec Parser Stack-based Buffer Overflow Remote Code Execution Vulnerability
Weaknesses CWE-121
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Gstreamer Gstreamer
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-03-17T12:43:51.002Z

Reserved: 2026-02-23T21:45:55.366Z

Link: CVE-2026-3081

cve-icon Vulnrichment

Updated: 2026-03-17T12:43:48.044Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:46.047

Modified: 2026-03-17T18:58:06.030

Link: CVE-2026-3081

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-13T20:39:20Z

Links: CVE-2026-3081 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:42Z

Weaknesses