Security Advisory 2026-0061 (CVE-2026-14935)
|
|
| Summary |
Possible authentication bypass in WebRTC SDP fingerprint validation |
| Date |
2026-07-08 |
| Affected Versions |
GStreamer gst-plugins-bad < 1.28.5 |
| IDs |
GStreamer-SA-2026-0061 CVE-2026-14935 |
Details
A logic error in the WebRTC SDP fingerprint validation code in the webrtcbin element of gst-plugins-bad. The condition checking for the presence of DTLS fingerprint attributes in incoming SDP was inverted: it rejected SDP offers and answers that contained fingerprint information in both the session-level and media-level, while accepting SDP that lacked fingerprint information entirely. SDP with fingerprint information in only one location was handled correctly. This affected the validation performed when processing remote descriptions for active media sections.
Impact
A malicious third party controlling or modifying the remote SDP signaling can strip the fingerprint attributes and have the affected element accept the description. This breaks the WebRTC requirement that binds the DTLS certificate to the signaled identity, weakening the authentication guarantee of the DTLS handshake. The vulnerability enables an authentication bypass at the SDP validation stage.
Solution
The gst-plugins-bad 1.28.5 release addresses the issue. People using older
versions of GStreamer should apply the patch and recompile.
References
The GStreamer project
CVE Database Entries
GStreamer 1.28.5 release
Patches