Bug 2486328 (CVE-2026-52718)

Summary:	CVE-2026-52718 gstreamer1-plugins-bad-free: GStreamer: Denial of service via AV1 tile_list_obu parser byte/bit confusion
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	rhel-process-autobot, security-response-team, watson-tool-maintainers
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-08 13:07:10 UTC

GStreamer AV1 tile_list_obu parser abort vulnerability. The gst_av1_parser_parse_tile_list_obu() function in gstav1parser.c (gst-plugins-bad) passes a byte count to gst_bit_reader_skip(), which expects a bit count. This causes parser desynchronization and a deterministic g_assert abort when processing a specially crafted AV1 media file. A 21-byte test case is sufficient to trigger the crash. Upstream confirmed by maintainer Sebastian Dröge (2026-06-02). Fix planned for GStreamer 1.28.4 or 1.28.5. Upstream issue: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5103 (confidential). Reported via PSIRTSUPT-17026 by JUNYI LIU / Moss 1.