Description
An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate atom data before performing division operations, leading to denial of service due to integer division by zero.
Published: 2026-05-14
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The isomp4 plugin’s qtdemux_audio_caps function fails to validate atom data properly, which allows a crafted MP4 audio file to trigger an integer division by zero. This flaw can cause the plugin to crash, resulting in a denial of service. The weakness is a classic integer divide‑by‑zero error (CWE‑369).

Affected Systems

GStreamer gst‑plugins‑good prior to version 1.28.2 is affected. The vulnerability resides in the good‑plugins pack, specifically the isomp4 component handling MP4 audio tracks. Systems running older releases of GStreamer without this patch are potentially vulnerable.

Risk and Exploitability

The CVSS score of 4.0 indicates a moderate impact. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog. The attack requires delivering a malicious MP4 file that causes the plugin to perform the division, so the likely vector is a local or remote user who can supply audio content to a GStreamer‑based application. An attacker exploiting the flaw would regain a denial of service on the host running the media processing component.

Generated by OpenCVE AI on May 14, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GStreamer gst‑plugins‑good to version 1.28.2 or newer, which includes the fix for the invalid atom validation.
  • Verify the upgraded installation by processing a known benign MP4 file and monitoring for crashes.
  • If an upgrade cannot be performed immediately, isolate or restrict the environment so that the isomp4 plugin does not process untrusted media, or disable the plugin entirely when not needed.

Generated by OpenCVE AI on May 14, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 19:45:00 +0000

Type Values Removed Values Added
Title Division by Zero in GStreamer MP4 Audio Parser Leading to Denial of Service

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate atom data before performing division operations, leading to denial of service due to integer division by zero.
First Time appeared Gstreamer
Gstreamer good Plug-ins
Weaknesses CWE-369
CPEs cpe:2.3:a:gstreamer:good_plug-ins:*:*:*:*:*:*:*:*
Vendors & Products Gstreamer
Gstreamer good Plug-ins
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Gstreamer Good Plug-ins
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T18:45:00.346Z

Reserved: 2026-05-14T17:40:45.850Z

Link: CVE-2026-46470

cve-icon Vulnrichment

Updated: 2026-05-14T18:44:56.167Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T18:16:50.790

Modified: 2026-05-14T18:24:08.747

Link: CVE-2026-46470

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T19:30:26Z

Weaknesses