CVE-2026-53704
Awaiting Analysis Awaiting Analysis - Queue
GStreamer RealMedia Demuxer Infinite Loop and Buffer Overflow

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: Red Hat, Inc.

Description
A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using re_skip_pascal_string() without validating that offsets remain within the mapped buffer. Additionally, the element count controlling the parsing loop is read from attacker-controlled data without validation, which can cause an infinite loop. A crafted RealMedia file can cause the application to crash, hang, or potentially read limited adjacent memory contents.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-53704
EUVD
EUVD-2026-36802
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
gst-plugins-ugly gstreamer1-plugins-ugly-free *
gstreamer gstreamer *
gstreamer gst-plugins-ugly *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in GStreamer's RealMedia demuxer within the gst-plugins-ugly package. It occurs when processing a specially crafted RealMedia file containing a FILEINFO metadata section. The demuxer parses variable-name and variable-value pairs using a function called re_skip_pascal_string() without properly checking that the offsets stay within the mapped buffer. Additionally, the number of elements controlling the parsing loop is read from attacker-controlled data without validation, which can lead to an infinite loop.

As a result, a crafted RealMedia file can cause the application to crash, hang indefinitely, or potentially read limited adjacent memory contents.

Impact Analysis

This vulnerability can impact you by causing applications that use the affected GStreamer RealMedia demuxer to crash or hang. The infinite loop caused by attacker-controlled data can make the application unresponsive.

Additionally, there is a potential for limited adjacent memory to be read, which could lead to information disclosure, although the scope of this memory read is limited.

Detection Guidance

This vulnerability involves a flaw in the GStreamer RealMedia demuxer when processing specially crafted RealMedia files. Detection would involve monitoring for crashes, hangs, or abnormal behavior in applications using the gst-plugins-ugly package when handling RealMedia files.

Since the vulnerability is triggered by processing malicious RealMedia files, one detection approach is to analyze or scan RealMedia files for suspicious FILEINFO metadata sections that contain abnormal element counts or malformed variable-name and variable-value pairs.

No specific detection commands or tools are provided in the available resources.

Mitigation Strategies

Currently, no fix is available for this vulnerability. Upstream developers recommend a complete rewrite of the rmdemux component to address the issue.

Immediate mitigation steps include avoiding the use of untrusted or unverified RealMedia files with applications that use the gst-plugins-ugly package.

Additionally, monitoring and restricting access to RealMedia files from untrusted sources can reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53704. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart