Bug 2487615 (CVE-2026-53705)

Summary: CVE-2026-53705 gstreamer1-plugins-good: GStreamer: Heap buffer overflow in WavPack decoder via integer overflow
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rhel-process-autobot, security-response-team, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good. When processing a specially crafted WavPack file, an integer overflow in the buffer size calculation (4 * block_samples * channels) in gst_wavpack_dec_handle_frame() causes a very small heap allocation. The WavPack library then writes decoded audio samples far beyond the allocated buffer, resulting in heap memory corruption. This affects both 32-bit and 64-bit systems since the arithmetic is performed in 32-bit integers before promotion to the allocation size type. A remote attacker could use this flaw to crash an application or potentially execute arbitrary code by convincing a user to open a malicious WavPack audio file.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2488946    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-10 16:16:05 UTC
GStreamer WavPack decoder heap buffer overflow via integer overflow. In gst_wavpack_dec_handle_frame() (gstwavpackdec.c), the allocation g_malloc(4 * wph.block_samples * dec->channels) uses unchecked 32-bit arithmetic. With block_samples=0x20000001 and stereo, the multiplication wraps to 8 bytes; WavpackUnpackSamples() then writes ~4 GiB past the allocation. Affects 64-bit RHEL (arithmetic is 32-bit before size_t promotion). Fix pending in GStreamer 1.28.4. Reported via PSIRTSUPT-8879 by Seung Min Shin.

Comment 1 errata-xmlrpc 2026-07-08 12:33:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:36675 https://access.redhat.com/errata/RHSA-2026:36675

Comment 2 errata-xmlrpc 2026-07-08 15:31:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:36774 https://access.redhat.com/errata/RHSA-2026:36774

Comment 3 errata-xmlrpc 2026-07-09 08:30:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:37129 https://access.redhat.com/errata/RHSA-2026:37129