Bug 2497679 (CVE-2026-14935) - CVE-2026-14935 gstreamer: gstreamer: webrtcbin accepts remote SDP without a=fingerprint due to inverted presence check
Summary: CVE-2026-14935 gstreamer: gstreamer: webrtcbin accepts remote SDP without a=f...
Keywords:
Status: NEW
Alias: CVE-2026-14935
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-07 11:26 UTC by OSIDB Bzimport
Modified: 2026-07-07 15:27 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-07 11:26:28 UTC
A logic vulnerability was found in GStreamer's webrtcbin component (gst-plugins-bad). The _check_sdp_crypto() function in webrtcsdp.c contains an inverted boolean condition at lines 128-134 that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it.

The check reads:
  if (!IS_EMPTY_SDP_ATTRIBUTE(message_fingerprint) && !IS_EMPTY_SDP_ATTRIBUTE(media_fingerprint))
Which means: if BOTH fingerprints ARE present, reject. The correct logic should reject when both are ABSENT.

File: subprojects/gst-plugins-bad/ext/webrtc/webrtcsdp.c
Function: _check_sdp_crypto()

An attacker who can intercept and modify the WebRTC signaling channel can remove a=fingerprint attributes from SDP messages. The vulnerable webrtcbin will accept the modified SDP, bypassing the RFC 8122 fingerprint-to-DTLS-certificate binding. This weakens defenses against man-in-the-middle attacks on media streams.

Practical impact is limited: exploitation requires MITM on the signaling channel (typically TLS-protected), and the DTLS layer may still independently validate certificates. This is a defense-in-depth bypass, not a complete cryptographic break.

Affected: GStreamer gst-plugins-bad (reproduced on 1.28.3 and current main)
Fixed: Planned for GStreamer 1.28.5
Fix MR: https://gitlab.freedesktop.org/gstreamer/gstreamer-security/-/merge_requests/98
Upstream issue: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5171 (confidential)

Reporter: Clouditera Security; Z.ai Security; NSFOCUS
PSIRT Ticket: PSIRTSUPT-19091


Note You need to log in before you can comment on or make changes to this bug.