Bug 2491321 (CVE-2026-12892)

Summary: CVE-2026-12892 gstreamer1-plugins-bad: gstreamer1-plugins-bad: 1-byte heap out-of-bounds read in H.264 NAL extension slice parser
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in GStreamer's gst-plugins-bad package. When processing a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units, a 1-byte heap out-of-bounds read can occur during parsing. This happens when the parser attempts to check slice boundary information without first verifying that the NAL unit contains enough data beyond the extension header. An attacker could exploit this by tricking a user into opening a malicious H.264 video file, potentially causing the application to crash or leak a single byte of heap memory.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-22 11:33:27 UTC
A 1-byte heap out-of-bounds read vulnerability exists in the gst_h264_parse_process_nal() function in subprojects/gst-plugins-bad/gst/videoparsers/gsth264parse.c. The function processes H.264 NAL units including GST_H264_NAL_SLICE_EXT (NAL type 20) for MVC/SVC extension slices. At line 1132, the code dereferences *(nalu->data + nalu->offset + nalu->header_bytes) to check the first_mb_in_slice flag without first verifying that nalu->size > nalu->header_bytes. For extension slice types, header_bytes is set to 4 (1 byte base + 3 bytes extension header per gsth264parser.c:243). A malformed NAL unit with exactly size==4 passes the minimum size check (size >= 2 at line 999) but triggers a 1-byte read at offset 4, which is beyond the allocated buffer. The same bounds check pattern is correctly implemented in gst_h264_parse_collect_nal() at line 1259 with if (nalu->size > nalu->header_bytes). The vulnerability affects GStreamer 1.x versions (tested against git version 1.29.1.1). Upstream maintainer Sebastian Droege confirmed the vulnerability via GitLab work item 5108. Reported by Dr. Faruk Kazi, Ramesh Adhikari, and Ariba Afroz from CoE-CNDS Lab, VJTI, Mumbai, India. PSIRT Ticket: PSIRTSUPT-17585.