Bug 2486732 (CVE-2026-52721)

Summary: CVE-2026-52721 gstreamer1-plugins-bad-free: GStreamer: Multiple out-of-bounds reads in pcapparse IPv4/TCP header parsing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, security-response-team, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Multiple out-of-bounds read vulnerabilities were found in GStreamer's pcapparse element. Malformed PCAP records can trigger reads beyond buffer boundaries during IPv4/TCP header parsing. This element is primarily used in debugging pipelines, limiting real-world exposure. A local attacker could trick a user into processing a specially crafted PCAP file, potentially leading to a crash or information disclosure.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-09 07:36:55 UTC
GStreamer pcapparse element multiple out-of-bounds read vulnerabilities. In gstpcapparse.c (gst-plugins-bad), multiple issues exist in PCAP record parsing: (1) At line 465-466, src_port/dst_port are read from buf_proto without verifying sufficient data exists after the IP header for TCP/UDP header fields. (2) At line 485, payload_size = ip_packet_len - ip_header_size - len trusts the ip_packet_len field from the IP header. A spoofed value larger than the actual buffer yields a payload_size exceeding available data. (3) When payload_size is computed from an untrusted IP length field, downstream gets data from the next PCAP record. Upstream confirmed by maintainer Sebastian Dröge (2026-06-02): "Confirmed, OOB reads. Can only be triggered in specially crafted GStreamer pipelines (as built for debugging purposes) on specially crafted data, very unlikely to cause problems in reality." Fix planned for GStreamer 1.28.4. Upstream issue: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5106 (confidential). Reported via PSIRTSUPT-17026 by JUNYI LIU / Moss (moss80199).