Description
GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the processing of Huffman tables. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28840.
Published: 2026-03-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from a heap-based buffer overflow in the GStreamer JPEG parser when it processes Huffman tables. The flaw is caused by inadequate validation of the length of user-supplied data before copying it into a fixed-size heap buffer. An attacker can craft a malicious JPEG stream to overflow the buffer, allowing execution of arbitrary code in the context of the running process. This presents a classic remote code execution attack surface and could also lead to denial‑of‑service if the overflow triggers a crash.

Affected Systems

The flaw affects installations of GStreamer. No specific version ranges are listed in the available data; therefore, any deployment running GStreamer could be vulnerable until a patch is applied. The CPE string for the affected product is cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*:.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity. The EPSS score is less than 1%, suggesting a low probability of exploitation in the wild. The vulnerability is not yet listed in the CISA KEV catalog. Attackers would need to supply a malicious JPEG stream to a GStreamer-enabled application; the vector is likely local or remote depending on how the application accepts input. While exploitation requires a crafted file, the potential impact (arbitrary code execution) makes this a critical risk for exposed services.

Generated by OpenCVE AI on March 17, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest GStreamer release that contains the fix for CVE-2026-3082.
  • If a patch is not immediately available, reconfigure the application to reject or sandbox untrusted JPEG input before it reaches the GStreamer library.
  • Consider restricting network access or using a proxy to limit exposure to untrusted JPEG streams.
  • Verify that the update or mitigation has removed the buffer overflow path by using linting or binary analysis tools if possible.
  • Stay informed of vendor advisories for further updates or additional mitigations.

Generated by OpenCVE AI on March 17, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4530-1 gst-plugins-bad1.0 security update
Debian DSA Debian DSA DSA-6190-1 gst-plugins-bad1.0 security update
History

Tue, 17 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*

Tue, 17 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gstreamer
Gstreamer gstreamer
Vendors & Products Gstreamer
Gstreamer gstreamer

Fri, 13 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of Huffman tables. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28840.
Title GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Gstreamer Gstreamer
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-03-18T03:55:31.109Z

Reserved: 2026-02-23T21:46:13.855Z

Link: CVE-2026-3082

cve-icon Vulnrichment

Updated: 2026-03-17T12:53:14.926Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:46.190

Modified: 2026-03-17T18:57:55.267

Link: CVE-2026-3082

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-13T20:39:33Z

Links: CVE-2026-3082 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:41Z

Weaknesses