Description
A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash.
Published: 2026-06-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A denial of service flaw exists in the AV1 codec parser of GStreamer 1.x. The parser passes a byte count to a bit‑reader API that expects a bit count, leading to desynchronization and an assertion abort that crashes the application. An attacker can supply a specially crafted AV1 media file to trigger the failure.

Affected Systems

Red Hat Enterprise Linux versions 6 through 10 are affected because they ship GStreamer 1.x packages that include the buggy gst-plugins-bad library. Systems using any of these distributions should verify whether the vulnerable GStreamer component is installed.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a very low current exploitation likelihood. The flaw is not listed in the CISA KEV catalog. The likely attack vector is a remote user tricking a victim into opening a malicious AV1 file; without a practical workaround, exploitation requires the file to be parsed by the vulnerable library, resulting in a crash.

Generated by OpenCVE AI on June 18, 2026 at 07:15 UTC.

Remediation

Vendor Workaround

Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability.


OpenCVE Recommended Actions

  • Install Red Hat’s security update for GStreamer that fixes the byte/bit confusion bug (CWE‑617).
  • Monitor log files for assertion aborts or application crashes related to media playback and investigate any incidents promptly.
  • If a patch cannot be applied immediately, configure media applications or the GStreamer framework to disable AV1 playback or uninstall the gst-plugins-bad plugin, thereby limiting exposure until a patch is available.

Generated by OpenCVE AI on June 18, 2026 at 07:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6362-1 gst-plugins-bad1.0 security update
History

Wed, 08 Jul 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:10.2
References

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Gstreamer Project
Gstreamer Project gstreamer Plugin
Vendors & Products Gstreamer Project
Gstreamer Project gstreamer Plugin

Tue, 16 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash.
Title Gstreamer1-plugins-bad-free: gstreamer: denial of service via av1 tile_list_obu parser byte/bit confusion
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-617
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}


Subscriptions

Gstreamer Project Gstreamer Plugin
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-08T14:17:21.907Z

Reserved: 2026-06-08T11:07:26.008Z

Link: CVE-2026-52718

cve-icon Vulnrichment

Updated: 2026-06-16T15:03:19.532Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-15T20:16:32.317

Modified: 2026-06-15T21:09:52.020

Link: CVE-2026-52718

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-15T00:00:00Z

Links: CVE-2026-52718 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:45:44Z

Weaknesses