Bug 2486731 (CVE-2026-52720) - CVE-2026-52720 gstreamer1-plugins-bad-free: GStreamer: Heap buffer overflow via crafted VNC server rectangle in librfb
Summary: CVE-2026-52720 gstreamer1-plugins-bad-free: GStreamer: Heap buffer overflow v...
Keywords:
Status: NEW
Alias: CVE-2026-52720
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-09 07:33 UTC by OSIDB Bzimport
Modified: 2026-06-15 17:11 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-09 07:33:54 UTC 
GStreamer librfb (RFB/VNC client) heap buffer overflow vulnerability. In rfbdecoder.c (gst-plugins-bad), the rectangle bounds check incorrectly validates area rather than individual dimensions: if (((w * h) + (x * y)) > (decoder->width * decoder->height)). A malicious VNC server can send a FramebufferUpdate with crafted x/y/w/h values (e.g., x=0, y=0, w=2000, h=1 on a 1920-wide framebuffer) that pass this check but extend beyond the framebuffer. The raw encoding function then performs memcpy(frame, p, raw_line_size) where raw_line_size = w * bytespp is larger than the framebuffer line, writing past the end of each line into adjacent heap memory. This results in a controlled out-of-bounds heap write. Upstream confirmed by maintainer Sebastian Dröge (2026-06-02): "Confirmed, OOB write. Triggers when connecting to a malicious/broken VNC/RFB server." Fix planned for GStreamer 1.28.4. Upstream issue: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5105 (confidential). Reported via PSIRTSUPT-17026 by JUNYI LIU / Moss (moss80199).
Note You need to log in before you can comment on or make changes to this bug.