GStreamer
open source multimedia framework
Home
Features
News
Annual Conference
Planet (Blogs)
Download
Applications
Security Center
GitLab
Developers
Documentation
Forum
File a Bug
Artwork
Follow us on Bluesky
Follow us on Mastodon
Chat with us on Matrix

Security Advisory 2026-0040 (CVE-2026-52719)
Summary Out-of-bounds read in VA JPEG decoder segment parsing
Date 2026-06-12
Affected Versions GStreamer gst-plugins-bad < 1.28.4
IDs GStreamer-SA-2026-0040
CVE-2026-52719

Details

An out-of-bounds read vulnerability in the VA JPEG decoder in gst-plugins-bad. The decoder failed to validate that sufficient data was available in the input buffer for each parsed JPEG segment. When processing crafted JPEG data, the decoder could read beyond the boundaries of the provided buffer while iterating through JPEG segments and scan headers.

Impact

A malicious third party could trigger out-of-bounds reads by providing a crafted JPEG file with undersized or truncated segments, potentially resulting in a crash, denial of service, or information disclosure.

Solution

The gst-plugins-bad 1.28.4 release addresses the issue. People using older versions of GStreamer should apply the patch and recompile.

References

The GStreamer project

CVE Database Entries

GStreamer 1.28.4 release

Patches

Report a problem on this page.