Security Advisory 2026-0033
|
|
| Summary |
Out-of-bounds read and modification of const data in ID3v2 parser |
| Date |
2026-06-12 |
| Affected Versions |
GStreamer gst-plugins-base < 1.28.4 |
| IDs |
GStreamer-SA-2026-0033 |
Details
Out-of-bounds read vulnerability in the ID3v2 parser in gst-plugins-base when processing RVA2 (Relative Volume Adjustment 2) tags. The parser failed to validate that sufficient data was available before reading the peak value field, allowing a read of up to 2 bytes beyond the actual frame buffer. Additionally, the peak value variable was left uninitialized, leading to unpredictable behavior.
Separately, the ID3v2 parser was modifying const data when handling custom ID3v2 frames. The frame ID sanitization code wrote directly to the read-only frame data buffer instead of a local copy, which could corrupt media data.
Impact
A malicious third party could trigger an out-of-bounds read of up to 2 bytes by providing a media file with a crafted RVA2 ID3v2 tag, with very low impact. Processing media files with custom ID3v2 frames could result in data corruption, leading to parsing errors.
Solution
The gst-plugins-base 1.28.4 release addresses the issue. People using older
versions of GStreamer should apply the patch and recompile.
References
The GStreamer project
CVE Database Entries
- No CVE number assigned or pending
GStreamer 1.28.4 release
Patches
