CVE-2026-12891
Received Received - Intake
Out-of-Bounds Read in GStreamer gst-plugins-bad H.266 Parser

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: Red Hat, Inc.

Description
A flaw was found in the GStreamer gst-plugins-bad package. When processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator value, the H.266 parser performs an out-of-bounds read of up to 8 bytes from adjacent memory. This flaw allows an attacker to craft a malicious H.266 video file or stream that, when processed by a GStreamer-based application, could leak limited memory contents through video metadata, potentially exposing sensitive information from the application's address space.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-12891
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gstreamer gst-plugins-bad *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The impact of this vulnerability is that an attacker could use a crafted H.266 video file or stream to cause a GStreamer-based application to leak limited memory contents.

This memory leakage could expose sensitive information from the application's address space, potentially compromising confidentiality.

However, the vulnerability does not affect the integrity or availability of the application.

Compliance Impact

This vulnerability allows an attacker to craft a malicious H.266 video file or stream that could leak limited memory contents through video metadata, potentially exposing sensitive information from the application's address space.

Such exposure of sensitive information could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access or disclosure.

However, the CVE description does not provide specific details on the types of data that might be exposed or the extent of the impact on compliance.

Executive Summary

This vulnerability is a flaw in the GStreamer gst-plugins-bad package related to the processing of H.266/VVC video streams. Specifically, when the H.266 parser processes a malformed video stream with a specially crafted aspect ratio indicator value, it performs an out-of-bounds read of up to 8 bytes from adjacent memory.

An attacker can exploit this by creating a malicious H.266 video file or stream that, when processed by a GStreamer-based application, could cause the application to leak limited memory contents through video metadata.

This leakage potentially exposes sensitive information from the application's address space.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12891. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart