CVE-2026-14935
Received Received - Intake

GStreamer webrtcbin SDP Fingerprint Bypass Vulnerability

Vulnerability report for CVE-2026-14935, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Red Hat, Inc.

Description

A logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. An attacker with the ability to intercept and modify WebRTC signaling messages could exploit this to bypass the SDP-level DTLS certificate fingerprint binding, weakening defenses against man-in-the-middle attacks on media streams.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
gstreamer gst-plugins-bad From 1.28.3 (inc)
gstreamer gst-plugins-bad to 1.28.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a logic flaw in GStreamer's webrtcbin component, specifically in the _check_sdp_crypto() function. The function has an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it.

An attacker who can intercept and modify WebRTC signaling messages could exploit this flaw to bypass the SDP-level DTLS certificate fingerprint binding. This weakens the defenses against man-in-the-middle attacks on media streams by allowing the attacker to remove the a=fingerprint attributes from SDP messages.

Impact Analysis

The vulnerability allows an attacker with the ability to intercept and modify the WebRTC signaling channel to bypass security checks that bind DTLS certificates to SDP fingerprints. This can weaken protection against man-in-the-middle attacks on media streams.

However, the practical impact is limited because exploiting this requires a man-in-the-middle position on the signaling channel, which is often protected by TLS. Additionally, the DTLS layer certificate validation may still provide some security, so this vulnerability represents a defense-in-depth bypass rather than a complete cryptographic break.

Detection Guidance

This vulnerability involves the _check_sdp_crypto() function in GStreamer's webrtcbin component incorrectly accepting SDP offers or answers that lack the required a=fingerprint attribute. Detection would involve monitoring WebRTC signaling messages for SDP offers or answers missing the a=fingerprint attribute.

Since the vulnerability is related to SDP messages in WebRTC signaling, you can inspect network traffic for SDP messages that do not contain the a=fingerprint attribute. This requires capturing and analyzing signaling traffic, typically over TLS.

Suggested commands to detect such messages might include using packet capture tools like tcpdump or Wireshark to filter and analyze SDP messages. For example:

  • Use tcpdump to capture signaling traffic on the relevant port (e.g., 443 for HTTPS/TLS): tcpdump -i <interface> port 443 -w capture.pcap
  • Open the capture in Wireshark and filter for SDP messages: sdp
  • Inspect SDP offers/answers for the presence or absence of the a=fingerprint attribute.

Automated detection might require custom scripts or tools to parse SDP messages and flag those missing the a=fingerprint attribute, indicating potential exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include updating GStreamer gst-plugins-bad to a fixed version where the vulnerability is resolved, such as version 1.28.5 or later.

Since the vulnerability requires an attacker to intercept and modify WebRTC signaling messages, ensuring the signaling channel is properly secured with strong TLS configurations reduces the risk of exploitation.

Additionally, monitoring network traffic for SDP messages missing the a=fingerprint attribute can help detect potential exploitation attempts.

If updating immediately is not possible, consider applying any available patches or workarounds provided by the vendor or community.

Compliance Impact

This vulnerability weakens defenses against man-in-the-middle attacks on media streams by bypassing the SDP-level DTLS certificate fingerprint binding, which is a defense-in-depth security measure.

While the practical impact is limited and requires an attacker to intercept and modify WebRTC signaling messages, this could potentially increase the risk of unauthorized interception or modification of media streams.

Such a risk could affect compliance with standards and regulations like GDPR and HIPAA, which mandate protection of personal and sensitive data during transmission, by potentially exposing communications to interception.

However, since the vulnerability does not represent a complete cryptographic break and the DTLS layer certificate validation may still be effective, the overall impact on compliance depends on the specific implementation and additional security controls in place.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14935. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart