GStreamer
open source multimedia framework
Home
Features
News
Annual Conference
Planet (Blogs)
Download
Applications
Security Center
GitLab
Developers
Documentation
Forum
File a Bug
Artwork
Follow us on Bluesky
Follow us on Mastodon
Chat with us on Matrix

Security Advisory 2026-0048 (CVE-2026-12891)
Summary Out-of-bounds read in H.266 parser VUI aspect ratio parsing
Date 2026-06-24
Affected Versions GStreamer gst-plugins-bad < 1.28.5
IDs GStreamer-SA-2026-0048
CVE-2026-12891

Details

An out-of-bounds read vulnerability in the H.266/VVC parser in gst-plugins-bad. When parsing VUI parameters from the sequence parameter set, a field read from the bitstream is used directly as an index into a fixed-size lookup table without bounds validation. Values outside the valid range cause reads of up to 2048 bytes beyond the array boundaries in the global data segment.

Impact

A malicious third party could trigger out-of-bounds reads by providing a crafted H.266/VVC media file with an invalid aspect ratio index in the VUI parameters, potentially resulting in a crash or denial of service.

Solution

The gst-plugins-bad 1.28.5 release addresses the issue. People using older versions of GStreamer should apply the patch and recompile.

References

The GStreamer project

CVE Database Entries

GStreamer 1.28.5 release

Note: This advisory was published before the GStreamer 1.28.5 release since the CVE numbering authority released the CVE details without embargo before the release, as the impact was considered low. The release is planned for early July 2026.

Patches

Report a problem on this page.