GStreamer
open source multimedia framework
Home
Features
News
Annual Conference
Planet (Blogs)
Download
Applications
Security Center
GitLab
Developers
Documentation
Forum
File a Bug
Artwork
Follow us on Bluesky
Follow us on Mastodon
Chat with us on Matrix

Security Advisory 2026-0063 (CVE-2026-59691)

Summary Heap out-of-bounds write in RFB source when decoding framebuffer updates
Date 2026-07-08
Affected Versions GStreamer gst-plugins-bad < 1.28.5
IDs GStreamer-SA-2026-0063
CVE-2026-59691

Details

A heap out-of-bounds write vulnerability in the rfbsrc element (RFB source) in gst-plugins-bad. The underlying RFB decoder wrote pixel data using a fixed size when filling rectangles during framebuffer update decoding, regardless of the negotiated bytes-per-pixel value. When a VNC server advertised a 16 bits-per-pixel framebuffer format, the decoder allocated the framebuffer at 2 bytes per pixel but the fill operation wrote 4 bytes per pixel, causing writes beyond the allocated buffer. Additionally, the decoder read color values from RRE, CoRRE, and Hextile encoded framebuffer updates using a fixed 4-byte format instead of respecting the negotiated pixel size, leading to incorrect data interpretation for smaller pixel formats.

Impact

A malicious third party could trigger a heap out-of-bounds write by operating a crafted VNC server that sends framebuffer updates with specific pixel formats and encoding types. This can result in a crash, denial of service, data corruption, or potentially arbitrary code execution in the client application using the RFB source element.

Solution

The gst-plugins-bad 1.28.5 release addresses the issue. People using older versions of GStreamer should apply the patch and recompile.

References

The GStreamer project

CVE Database Entries

GStreamer 1.28.5 release

Patches


Report a problem on this page.