Description
An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_parse_trak function does not sufficiently validate atom data before performing division operations, leading to denial of service due to integer division by zero.
Published: 2026-05-14
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer division by zero flaw in the isomp4 plugin’s MP4 audio parsing routine causes the gst-plugins-good component to crash, rendering services that rely on it unavailable. The weakness is classified as CWE-369 and produces only a denial‑of‑service impact, with no direct effect on confidentiality or integrity.

Affected Systems

The vulnerability affects the GStreamer good plug‑ins package (gst‑plugins‑good) prior to version 1.28.2. All releases 1.28.1 and earlier are impacted, while 1.28.2 and newer contain the fix.

Risk and Exploitability

The CVSS score of 4 indicates moderate severity. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. Exploitation requires a crafted MP4 audio file containing malformed atom data that is parsed by the vulnerable plugin. The attack vector is likely local or arises when an application processes untrusted media files received over a network. Because the flaw leads only to a crash, the risk is primarily service disruption rather than privilege escalation or data theft.

Generated by OpenCVE AI on May 14, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GStreamer Good Plug‑ins package to version 1.28.2 or later
  • Apply the security patch provided in merge request 11243 by updating the source or applying the patch manually if upgrading is not immediately possible
  • Disable the isomp4 plugin or restrict its use to trusted media sources, and monitor application logs for crashes to detect exploitation attempts

Generated by OpenCVE AI on May 14, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_parse_trak function does not sufficiently validate atom data before performing division operations, leading to denial of service due to integer division by zero.
First Time appeared Gstreamer
Gstreamer good Plug-ins
Weaknesses CWE-369
CPEs cpe:2.3:a:gstreamer:good_plug-ins:*:*:*:*:*:*:*:*
Vendors & Products Gstreamer
Gstreamer good Plug-ins
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Gstreamer Good Plug-ins
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T18:42:56.086Z

Reserved: 2026-05-14T17:38:43.160Z

Link: CVE-2026-46469

cve-icon Vulnrichment

Updated: 2026-05-14T18:42:53.382Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T18:16:50.653

Modified: 2026-05-14T18:24:08.747

Link: CVE-2026-46469

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:00:14Z

Weaknesses