GStreamer
open source multimedia framework
Home
Features
News
Annual Conference
Planet (Blogs)
Download
Applications
Security Center
GitLab
Developers
Documentation
Forum
File a Bug
Artwork
Follow us on Bluesky
Follow us on Mastodon
Chat with us on Matrix

Security Advisory 2026-0047 (CVE-2026-12892)
Summary One-byte out-of-bounds read in H.264 NAL unit parser
Date 2026-06-24
Affected Versions GStreamer gst-plugins-bad < 1.28.5
IDs GStreamer-SA-2026-0047
CVE-2026-12892

Details

A one-byte heap out-of-bounds read vulnerability in the H.264 parser in gst-plugins-bad. The NAL unit parser reads a byte from the NAL payload at an offset determined by the NAL header size without verifying that the payload is large enough to contain that byte. This affects slice NAL types that use multi-byte extension headers for MVC and SVC profiles. A NAL unit with a payload size equal to its header size passes the existing minimum-size validation but triggers a read one byte past the end of the allocation.

The vulnerability is reachable through malformed H.264 bitstreams delivered via media files, network streams, or web content.

Impact

A malicious third party could trigger an out-of-bounds read by providing a crafted H.264 stream containing undersized slice NAL units, potentially resulting in information disclosure, parser desynchronization, incorrect frame boundary detection, or denial of service.

Solution

The gst-plugins-bad 1.28.5 release addresses the issue. People using older versions of GStreamer should apply the patch and recompile.

References

The GStreamer project

CVE Database Entries

GStreamer 1.28.5 release

Note: This advisory was published before the GStreamer 1.28.5 release since the CVE numbering authority released the CVE details without embargo before the release, as the impact was considered low. The release is planned for early July 2026.

Patches

Report a problem on this page.