Description
GStreamer H.266 Codec Parser Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the parsing of picture partitions. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28910.
Published: 2026-03-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability described occurs in the parsing of picture partitions within the GStreamer H.266 codec parser and leads to an integer underflow before memory writes. Key detail from vendor description: the flaw arises from insufficient validation of user‑supplied data, ultimately permitting an attacker to execute arbitrary code in the context of the running process. This results in full compromise of confidentiality, integrity, and availability of the process that loads the library.

Affected Systems

Affected vendor is GStreamer. The affected product is GStreamer itself; specific version information is not supplied in the CNA data. Users of any GStreamer installation that processes H.266 encoded video streams and otherwise depends on GStreamer’s H.266 parsing capabilities are potentially impacted.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity. The EPSS score is reported as less than 1%, indicating a low probability of observed exploitation in the wild. It is not listed under CISA’s KEV catalog. Based on the description, the likely attack vector requires an attacker to supply crafted H.266 compliant data that is parsed by GStreamer, implying that remote vectors such as network streams, file uploads, or multimedia playback could be used. The vulnerability is exploitable when the library is invoked and the attacker can influence the parsing of picture partitions.

Generated by OpenCVE AI on March 17, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install the latest GStreamer update that addresses CVE-2026-3084.
  • If no update is available, reduce exposure by disabling H.266 support or sandboxing GStreamer when processing untrusted multimedia content.
  • Monitor GStreamer vendor advisories for patch releases and apply promptly.

Generated by OpenCVE AI on March 17, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6190-1 gst-plugins-bad1.0 security update
History

Tue, 17 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 16 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gstreamer
Gstreamer gstreamer
Vendors & Products Gstreamer
Gstreamer gstreamer

Fri, 13 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description GStreamer H.266 Codec Parser Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of picture partitions. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28910.
Title GStreamer H.266 Codec Parser Integer Underflow Remote Code Execution Vulnerability
Weaknesses CWE-191
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Gstreamer Gstreamer
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-03-18T03:55:33.506Z

Reserved: 2026-02-23T21:46:43.420Z

Link: CVE-2026-3084

cve-icon Vulnrichment

Updated: 2026-03-16T15:31:47.563Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:46.477

Modified: 2026-03-17T18:57:37.060

Link: CVE-2026-3084

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-13T20:42:03Z

Links: CVE-2026-3084 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:37Z

Weaknesses