Description
GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the processing of X-QDM RTP payload elements. When parsing the packetid element, the process does not properly validate user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28850.
Published: 2026-03-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

An out-of-bounds write in GStreamer’s rtpqdm2depay element allows remote attackers to execute arbitrary code. The flaw occurs while parsing X-QDM RTP payload elements, specifically the packetid field, which fails to validate user-supplied data, leading to a write past the end of an allocated array. This enables a malicious actor to execute code in the context of the current process, a direct Remote Code Execution (RCE) impact.

Affected Systems

Vendor: GStreamer, Product: GStreamer library. All releases containing the rtpqdm2depay element prior to the patch are affected; specific version numbers are not disclosed in the CVE record.

Risk and Exploitability

The CVSS score of 8.8 marks the vulnerability as high severity. The EPSS score is below 1%, indicating a low but present likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker can deliver a malicious RTP stream with crafted X-QDM data to trigger the out-of-bounds write; once triggered, the attacker can run arbitrary code with the privileges of the process using GStreamer.

Generated by OpenCVE AI on March 17, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest GStreamer update that includes a fix for CVE-2026-3083.
  • Until a patch is available, prevent the GStreamer library from processing untrusted RTP streams or block network ports associated with RTP traffic.
  • Monitor system logs for signs of unexpected process execution or memory corruption events.

Generated by OpenCVE AI on March 17, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8131-1 GStreamer Good Plugins vulnerabilities
History

Tue, 17 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 16 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gstreamer
Gstreamer gstreamer
Vendors & Products Gstreamer
Gstreamer gstreamer

Fri, 13 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of X-QDM RTP payload elements. When parsing the packetid element, the process does not properly validate user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28850.
Title GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability
Weaknesses CWE-129
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Gstreamer Gstreamer
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-03-18T03:55:32.323Z

Reserved: 2026-02-23T21:46:26.650Z

Link: CVE-2026-3083

cve-icon Vulnrichment

Updated: 2026-03-16T15:31:52.289Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:46.327

Modified: 2026-03-17T18:57:46.047

Link: CVE-2026-3083

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-13T20:41:31Z

Links: CVE-2026-3083 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:39Z

Weaknesses