GStreamer
open source multimedia framework

GStreamer Spring Hackfest 2026

29-31 May 2026 ยท Nice, France

Join us!
Home
Features
News
Annual Conference
Planet (Blogs)
Download
Applications
Security Center
GitLab
Developers
Documentation
Forum
File a Bug
Artwork
Follow us on Bluesky
Follow us on Mastodon
Chat with us on Matrix

Security Advisory 2026-0015 (CVE-2026-XXXX pending)
Summary Integer overflows in JPEG 2000 decimator
Date 2026-04-07
Affected Versions GStreamer gst-plugins-bad < 1.28.2
IDs GStreamer-SA-2026-0015
CVE-2026-XXXX (pending)

Details

Integer overflows and division by zero in the JPEG 2000 decimator in gst-plugins-bad when handling malformed JPEG 2000 codestreams. The vulnerabilities occur in size validation checks and tile configuration parsing, where insufficient bounds checking allows integer overflows during multiplication operations and division by zero when tile dimensions are invalid.

Impact

A malicious third party could trigger a crash in the application, resulting in denial of service, when processing malicious JPEG 2000 media files.

Solution

The gst-plugins-bad 1.28.2 release addresses the issue. People using older versions of GStreamer should apply the patch and recompile.

References

The GStreamer project

CVE Database Entries

GStreamer 1.28.2 release

Patches

Report a problem on this page.