Security Advisory 2026-0063 (CVE-2026-59691)
|
|
| Summary |
Heap out-of-bounds write in RFB source when decoding framebuffer updates |
| Date |
2026-07-08 |
| Affected Versions |
GStreamer gst-plugins-bad < 1.28.5 |
| IDs |
GStreamer-SA-2026-0063 CVE-2026-59691 |
Details
A heap out-of-bounds write vulnerability in the rfbsrc element (RFB source) in gst-plugins-bad. The underlying RFB decoder wrote pixel data using a fixed size when filling rectangles during framebuffer update decoding, regardless of the negotiated bytes-per-pixel value. When a VNC server advertised a 16 bits-per-pixel framebuffer format, the decoder allocated the framebuffer at 2 bytes per pixel but the fill operation wrote 4 bytes per pixel, causing writes beyond the allocated buffer. Additionally, the decoder read color values from RRE, CoRRE, and Hextile encoded framebuffer updates using a fixed 4-byte format instead of respecting the negotiated pixel size, leading to incorrect data interpretation for smaller pixel formats.
Impact
A malicious third party could trigger a heap out-of-bounds write by operating a crafted VNC server that sends framebuffer updates with specific pixel formats and encoding types. This can result in a crash, denial of service, data corruption, or potentially arbitrary code execution in the client application using the RFB source element.
Solution
The gst-plugins-bad 1.28.5 release addresses the issue. People using older
versions of GStreamer should apply the patch and recompile.
References
The GStreamer project
CVE Database Entries
GStreamer 1.28.5 release
Patches