GStreamer
open source multimedia framework
Home
Features
News
Annual Conference
Planet (Blogs)
Download
Applications
Security Center
GitLab
Developers
Documentation
Forum
File a Bug
Artwork
Follow us on Bluesky
Follow us on Mastodon
Chat with us on Matrix

Security Advisory 2026-0046 (CVE-2026-52722)
Summary Integer overflow in VMNC decoder cursor payload size calculation
Date 2026-06-16
Affected Versions GStreamer gst-plugins-bad < 1.28.5
IDs GStreamer-SA-2026-0046
CVE-2026-52722

Details

An integer overflow vulnerability in the vmncdec element (VMNC decoder) in gst-plugins-bad when handling VMNC streams with cursor rectangle data. The vulnerability occurs during the computation of the cursor payload size, where rectangle dimensions, bytes per pixel, and a multiplier for colour cursor data are combined using signed integer arithmetic. Although a previous fix (CVE-2016-9445) limited the maximum stream dimensions to 16384, dimensions at this limit are large enough for the colour cursor payload calculation to overflow a 32-bit signed integer. The resulting negative length value bypasses the subsequent short-packet check, leading to oversized memory allocations and out-of-bounds reads from the input buffer.

Impact

A malicious third party could trigger a crash in the application, resulting in denial of service, or cause out-of-bounds reads from the input buffer when processing a crafted VMNC stream.

Solution

The gst-plugins-bad 1.28.5 release addresses the issue. People using older versions of GStreamer should apply the patch and recompile.

References

The GStreamer project

CVE Database Entries

GStreamer 1.28.5 release

Note: This advisory was published before the GStreamer 1.28.5 release since the CVE numbering authority accidentally released the CVE details ahead of schedule. The release is planned for early July 2026.

Patches

Report a problem on this page.