CVE-2026-52719
Awaiting Analysis Awaiting Analysis - Queue
VA JPEG Decoder Out-of-Bounds Read in GStreamer

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: Red Hat, Inc.

Description
An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially crafted JPEG file, causing downstream parsing to read beyond the provided input buffer, leading to a crash or potential information disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-52719
EUVD
EUVD-2026-36798
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
gstreamer gstreamer1-plugins-bad-free to 1.28.5 (inc)
gstreamer gst-plugins-bad *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-52719 is an out-of-bounds read vulnerability found in the VA JPEG decoder component of GStreamer's gst-plugins-bad package. The vulnerability occurs because the JPEG parser reads a segment length value from the bitstream without properly validating it against the actual available data.

This improper validation causes the decoder to create a byte reader that reads beyond the allocated buffer, which can lead to a crash or potentially disclose information.

Compliance Impact

This vulnerability involves a potential information disclosure due to an out-of-bounds read in the VA JPEG decoder. Such information disclosure risks could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

However, the provided information does not specify the nature or sensitivity of the data that could be exposed, nor does it detail any direct compliance implications or mitigation measures related to these standards.

Impact Analysis

If exploited, this vulnerability can cause the application using the vulnerable GStreamer VA JPEG decoder to crash, resulting in a denial of service.

Additionally, it may lead to potential information disclosure by reading memory beyond the intended buffer, which could expose sensitive data.

The attack vector involves a remote attacker tricking a user into opening a specially crafted JPEG file.

Detection Guidance

Detection of this vulnerability involves identifying the presence of the vulnerable GStreamer VA JPEG decoder component, specifically the gst-plugins-bad package versions prior to 1.28.4 or 1.28.5.

Since the vulnerability is triggered by processing specially crafted JPEG files, monitoring for crashes or abnormal behavior in applications using GStreamer to parse JPEG images can be indicative.

Commands to detect the vulnerable package version on a Linux system might include:

  • rpm -q gstreamer1-plugins-bad-free
  • dpkg -l | grep gstreamer1-plugins-bad-free

Additionally, scanning network traffic for suspicious JPEG files or using file integrity monitoring to detect unexpected JPEG files could help identify exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to update the GStreamer gst-plugins-bad package to version 1.28.4 or later, where the vulnerability has been fixed.

If updating is not immediately possible, consider restricting or disabling the processing of untrusted JPEG files in applications that use the vulnerable VA JPEG decoder.

Additionally, applying network-level controls to block or monitor suspicious JPEG files and educating users to avoid opening JPEG files from untrusted sources can reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52719. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart