Bug 2486733 (CVE-2026-52722) - CVE-2026-52722 gstreamer1-plugins-bad-free: GStreamer: Signed integer overflow in VMnc decoder cursor payload handling
Summary: CVE-2026-52722 gstreamer1-plugins-bad-free: GStreamer: Signed integer overflo...
Keywords:
Status: NEW
Alias: CVE-2026-52722
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-09 07:37 UTC by OSIDB Bzimport
Modified: 2026-06-15 17:12 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-09 07:37:00 UTC 
GStreamer VMnc decoder signed integer overflow vulnerability. In vmncdec.c (gst-plugins-bad), at line 408, the cursor payload size computation datalen += rect->width * rect->height * dec->format.bytes_per_pixel * 2 uses signed 32-bit arithmetic. A crafted VMnc stream with large cursor dimensions (e.g., 65535 x 65535) overflows the signed multiplication to a negative value, causing datalen to become small or negative. The check if (len < datalen) then passes, g_malloc(size) allocates a tiny buffer, but the rendering loop in render_colour_cursor() uses the original large width/height values (dec->cursor.width = 65535) to iterate, reading far beyond the tiny allocated buffer into adjacent heap memory. Upstream confirmed by maintainer Sebastian Dröge (2026-06-02): "Confirmed, integer overflow that leads to OOB reads. Can lead to crashes or possibly information disclosure, and can be triggered from specially crafted files." Fix planned for GStreamer 1.28.4. Upstream issue: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5107 (confidential). Reported via PSIRTSUPT-17026 by JUNYI LIU / Moss (moss80199).
Note You need to log in before you can comment on or make changes to this bug.