Description
GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the processing of APS units. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28911.
Published: 2026-03-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Update
AI Analysis

Impact

GStreamer’s H.266 codec parser contains an out‑of‑bounds write flaw (CWE‑787). The vulnerability allows an attacker to write data past the end of a buffer while parsing APS units, leading to arbitrary code execution in the context of the current process. The vendor notes that this flaw results from a lack of proper validation of user‑supplied data and that an attacker can leverage it to execute code.

Affected Systems

Affected software is the GStreamer multimedia framework. No specific version information is provided in the available data, so all installations that use the H.266 parser may be impacted until a patch is applied.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, and the EPSS score of less than 1 % indicates a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack likely requires an application that processes H.266 streams to provide crafted data to the parser; thus the vector is indirect and depends on the context in which GStreamer is used. As no official workaround is published, organizations should treat this as a vulnerability that can be mitigated by updating the affected component.

Generated by OpenCVE AI on March 17, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest GStreamer update that addresses CVE-2026-3086
  • If a patch is not yet available, restrict or isolate processes that load H.266 streams from untrusted sources
  • Configure security monitoring to detect anomalous crashes or memory corruption events tied to GStreamer

Generated by OpenCVE AI on March 17, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6190-1 gst-plugins-bad1.0 security update
History

Tue, 17 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gstreamer
Gstreamer gstreamer
Vendors & Products Gstreamer
Gstreamer gstreamer

Fri, 13 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of APS units. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28911.
Title GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution Vulnerability
Weaknesses CWE-787
References
Metrics cvssV3_0

{'score': 7.8, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Gstreamer Gstreamer
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-03-18T03:55:36.715Z

Reserved: 2026-02-23T21:47:17.523Z

Link: CVE-2026-3086

cve-icon Vulnrichment

Updated: 2026-03-16T20:26:31.631Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:46.767

Modified: 2026-03-17T18:56:36.537

Link: CVE-2026-3086

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-13T20:40:12Z

Links: CVE-2026-3086 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:40Z

Weaknesses