CVE-2026-3086
Awaiting Analysis Awaiting Analysis - Queue
Out-of-Bounds Write in GStreamer H.266 Parser Enables RCE

Publication date: 2026-03-16

Last updated on: 2026-03-17

Assigner: Zero Day Initiative

Description
GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of APS units. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28911.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3086
EUVD
EUVD-2026-12131
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gstreamer gstreamer to 1.28.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3086 is a remote code execution vulnerability in the GStreamer H.266 codec parser related to the processing of APS units.

The flaw occurs because of improper validation of user-supplied data, which leads to an out-of-bounds write past the end of an allocated buffer.

Exploiting this vulnerability requires interaction with the GStreamer library, and attack methods may vary depending on how it is implemented.

If successfully exploited, an attacker can execute arbitrary code within the context of the current process.

Mitigation Strategies

To mitigate this vulnerability, you should update GStreamer to the latest version where this issue has been addressed and corrected.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary code on affected systems running the GStreamer H.266 codec parser.

Successful exploitation can lead to full compromise of the affected process, potentially allowing attackers to take control of the system or cause denial of service.

Because the vulnerability involves out-of-bounds memory writes, it can be leveraged to run malicious code, steal data, or disrupt normal operations.

Compliance Impact

I don't know

Detection Guidance

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3086. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart