Description
GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the processing of X-QDM RTP payloads. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28851.
Published: 2026-03-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

Key detail from vendor description: This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer through a heap-based buffer overflow in the rtpqdm2depay component. The flaw arises from insufficient validation of the length of user-supplied data before copying it into a heap-based buffer while processing X‑QDM RTP payloads. An attacker can exploit this to run code in the context of the current process, thereby compromising confidentiality, integrity, and availability of the host system.

Affected Systems

Affected systems include any installation of GStreamer that includes the rtpqdm2depay module; the CNA identifies the product as GStreamer:GStreamer with no specific producer or compilation details. No affected version range is provided in the CNA data, so all builds that include this component are potentially vulnerable until a fix is released.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score of less than 1% suggests a low current exploit probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, requiring interaction with the RTP de‑multiplexer component; an attacker may supply crafted X‑QDM payloads over a network to trigger the overflow. No known exploit public code is referenced in the provided data, but the ability to execute arbitrary code is direct and conclusive.

Generated by OpenCVE AI on March 17, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the GStreamer project for an official patch or newer release that addresses the rtpqdm2depay overflow.
  • If a patch is unavailable, consider disabling or removing the rtpqdm2depay element from the application’s GStreamer pipeline if it is not required for functionality.
  • Limit exposure by filtering or blocking RTP streams containing X‑QDM payloads from untrusted sources.
  • Maintain system and application updates regularly to benefit from future fixes.

Generated by OpenCVE AI on March 17, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8131-1 GStreamer Good Plugins vulnerabilities
History

Tue, 17 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gstreamer
Gstreamer gstreamer
Vendors & Products Gstreamer
Gstreamer gstreamer

Fri, 13 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of X-QDM RTP payloads. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28851.
Title GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Gstreamer Gstreamer
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-03-18T03:55:35.571Z

Reserved: 2026-02-23T21:46:57.953Z

Link: CVE-2026-3085

cve-icon Vulnrichment

Updated: 2026-03-16T20:25:53.791Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:46.620

Modified: 2026-03-17T18:57:21.210

Link: CVE-2026-3085

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-13T20:40:02Z

Links: CVE-2026-3085 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:40Z

Weaknesses