2486328 – (CVE-2026-52718) CVE-2026-52718 gstreamer1-plugins-bad-free: GStreamer: Denial of service via AV1 tile_list_obu parser byte/bit confusion

Bug 2486328 (CVE-2026-52718) - CVE-2026-52718 gstreamer1-plugins-bad-free: GStreamer: Denial of service via AV1 tile_list_obu parser byte/bit confusion

Summary: CVE-2026-52718 gstreamer1-plugins-bad-free: GStreamer: Denial of service via ...

Keywords:
Status:	NEW
Alias:	CVE-2026-52718
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-08 13:07 UTC by OSIDB Bzimport
Modified:	2026-06-15 17:16 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-08 13:07:10 UTC

GStreamer AV1 tile_list_obu parser abort vulnerability. The gst_av1_parser_parse_tile_list_obu() function in gstav1parser.c (gst-plugins-bad) passes a byte count to gst_bit_reader_skip(), which expects a bit count. This causes parser desynchronization and a deterministic g_assert abort when processing a specially crafted AV1 media file. A 21-byte test case is sufficient to trigger the crash. Upstream confirmed by maintainer Sebastian Dröge (2026-06-02). Fix planned for GStreamer 1.28.4 or 1.28.5. Upstream issue: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5103 (confidential). Reported via PSIRTSUPT-17026 by JUNYI LIU / Moss 1.

Note You need to log in before you can comment on or make changes to this bug.