CVE-2026-12891
Analyzed Analyzed - Analysis Complete

Out-of-Bounds Read in GStreamer gst-plugins-bad H.266 Parser

Vulnerability report for CVE-2026-12891, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-07-01

Assigner: Red Hat, Inc.

Description

A flaw was found in the GStreamer gst-plugins-bad package. When processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator value, the H.266 parser performs an out-of-bounds read of up to 8 bytes from adjacent memory. This flaw allows an attacker to craft a malicious H.266 video file or stream that, when processed by a GStreamer-based application, could leak limited memory contents through video metadata, potentially exposing sensitive information from the application's address space.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-07-01
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat enterprise_linux 10.0
gstreamer gstreamer *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a flaw in the GStreamer gst-plugins-bad package related to the processing of H.266/VVC video streams. Specifically, when the H.266 parser processes a malformed video stream with a specially crafted aspect ratio indicator value, it performs an out-of-bounds read of up to 8 bytes from adjacent memory.

An attacker can exploit this by creating a malicious H.266 video file or stream that, when processed by a GStreamer-based application, could cause the application to leak limited memory contents through video metadata.

This leakage potentially exposes sensitive information from the application's address space.

Impact Analysis

The impact of this vulnerability is that an attacker could use a crafted H.266 video file or stream to cause a GStreamer-based application to leak limited memory contents.

This memory leakage could expose sensitive information from the application's address space, potentially compromising confidentiality.

However, the vulnerability does not affect the integrity or availability of the application.

Compliance Impact

This vulnerability allows an attacker to craft a malicious H.266 video file or stream that could leak limited memory contents through video metadata, potentially exposing sensitive information from the application's address space.

Such exposure of sensitive information could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access or disclosure.

However, the CVE description does not provide specific details on the types of data that might be exposed or the extent of the impact on compliance.

Detection Guidance

This vulnerability involves an out-of-bounds read triggered by processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator. Detection would involve identifying if GStreamer gst-plugins-bad is processing suspicious or malformed H.266 video streams that could exploit this flaw.

Since the flaw is in the gst_h266_parse_vui_parameters() function of the gst-plugins-bad package, you can check the version of the gst-plugins-bad package installed on your system to see if it includes the vulnerable H.266 parser.

To detect potential exploitation attempts, you could monitor for unusual or malformed H.266 video streams being processed by GStreamer-based applications.

Suggested commands to check the installed version of gst-plugins-bad (on Linux systems) include:

  • dpkg -l | grep gst-plugins-bad
  • rpm -qa | grep gst-plugins-bad

Additionally, you can use network monitoring tools like tcpdump or Wireshark to capture and analyze video streams for malformed H.266 content, although no specific signature or command is provided in the resources.

Mitigation Strategies

Immediate mitigation steps include updating the gst-plugins-bad package to a version where this vulnerability has been fixed by the upstream maintainer.

If an update is not immediately available, consider restricting or disabling processing of untrusted H.266/VVC video streams in GStreamer-based applications to prevent exploitation.

Monitoring and filtering incoming video streams to block malformed or suspicious H.266 content can also reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12891. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart