Impact
A denial of service flaw exists in the AV1 codec parser of GStreamer 1.x. The parser passes a byte count to a bit‑reader API that expects a bit count, leading to desynchronization and an assertion abort that crashes the application. An attacker can supply a specially crafted AV1 media file to trigger the failure.
Affected Systems
Red Hat Enterprise Linux versions 6 through 10 are affected because they ship GStreamer 1.x packages that include the buggy gst-plugins-bad library. Systems using any of these distributions should verify whether the vulnerable GStreamer component is installed.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a very low current exploitation likelihood. The flaw is not listed in the CISA KEV catalog. The likely attack vector is a remote user tricking a victim into opening a malicious AV1 file; without a practical workaround, exploitation requires the file to be parsed by the vulnerable library, resulting in a crash.
OpenCVE Enrichment
Debian DSA