Bug 2491321 (CVE-2026-12892) - CVE-2026-12892 gstreamer1-plugins-bad: gstreamer1-plugins-bad: 1-byte heap out-of-bounds read in H.264 NAL extension slice parser
Summary: CVE-2026-12892 gstreamer1-plugins-bad: gstreamer1-plugins-bad: 1-byte heap ou...
Keywords:
Status: NEW
Alias: CVE-2026-12892
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-22 11:33 UTC by OSIDB Bzimport
Modified: 2026-06-23 14:02 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-22 11:33:27 UTC
A 1-byte heap out-of-bounds read vulnerability exists in the gst_h264_parse_process_nal() function in subprojects/gst-plugins-bad/gst/videoparsers/gsth264parse.c. The function processes H.264 NAL units including GST_H264_NAL_SLICE_EXT (NAL type 20) for MVC/SVC extension slices. At line 1132, the code dereferences *(nalu->data + nalu->offset + nalu->header_bytes) to check the first_mb_in_slice flag without first verifying that nalu->size > nalu->header_bytes. For extension slice types, header_bytes is set to 4 (1 byte base + 3 bytes extension header per gsth264parser.c:243). A malformed NAL unit with exactly size==4 passes the minimum size check (size >= 2 at line 999) but triggers a 1-byte read at offset 4, which is beyond the allocated buffer. The same bounds check pattern is correctly implemented in gst_h264_parse_collect_nal() at line 1259 with if (nalu->size > nalu->header_bytes). The vulnerability affects GStreamer 1.x versions (tested against git version 1.29.1.1). Upstream maintainer Sebastian Droege confirmed the vulnerability via GitLab work item 5108. Reported by Dr. Faruk Kazi, Ramesh Adhikari, and Ariba Afroz from CoE-CNDS Lab, VJTI, Mumbai, India. PSIRT Ticket: PSIRTSUPT-17585.


Note You need to log in before you can comment on or make changes to this bug.