GStreamer
open source multimedia framework
Home
Features
News
Annual Conference
Planet (Blogs)
Download
Applications
Security Center
GitLab
Developers
Documentation
Forum
File a Bug
Artwork
Follow us on Bluesky
Follow us on Mastodon
Chat with us on Matrix

Security Advisory 2026-0037 (CVE-2026-52717)
Summary Heap corruption in gst-libav AV protocol pipe
Date 2026-06-12
Affected Versions GStreamer gst-libav < 1.28.4
IDs GStreamer-SA-2026-0037
CVE-2026-52717

Details

An invalid free vulnerability in the AV protocol implementation of gst-libav. When closing the pipe used for AV I/O operations, the close handler freed a pointer pointing into the middle of a larger allocation owned by the demuxer element, corrupting heap metadata. This is always triggered when using the gst-libav demuxer in push mode.

Impact

A malicious third party could trigger heap corruption by using the gst-libav demuxer in push mode, potentially resulting in a crash or denial of service.

Solution

The gst-libav 1.28.4 release addresses the issue. People using older versions of GStreamer should apply the patch and recompile.

References

The GStreamer project

CVE Database Entries

GStreamer 1.28.4 release

Patches

Report a problem on this page.