Bug 2486732 (CVE-2026-52721) - CVE-2026-52721 gstreamer1-plugins-bad-free: GStreamer: Multiple out-of-bounds reads in pcapparse IPv4/TCP header parsing
Summary: CVE-2026-52721 gstreamer1-plugins-bad-free: GStreamer: Multiple out-of-bounds...
Keywords:
Status: NEW
Alias: CVE-2026-52721
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-09 07:36 UTC by OSIDB Bzimport
Modified: 2026-06-15 17:11 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-09 07:36:55 UTC 
GStreamer pcapparse element multiple out-of-bounds read vulnerabilities. In gstpcapparse.c (gst-plugins-bad), multiple issues exist in PCAP record parsing: (1) At line 465-466, src_port/dst_port are read from buf_proto without verifying sufficient data exists after the IP header for TCP/UDP header fields. (2) At line 485, payload_size = ip_packet_len - ip_header_size - len trusts the ip_packet_len field from the IP header. A spoofed value larger than the actual buffer yields a payload_size exceeding available data. (3) When payload_size is computed from an untrusted IP length field, downstream gets data from the next PCAP record. Upstream confirmed by maintainer Sebastian Dröge (2026-06-02): "Confirmed, OOB reads. Can only be triggered in specially crafted GStreamer pipelines (as built for debugging purposes) on specially crafted data, very unlikely to cause problems in reality." Fix planned for GStreamer 1.28.4. Upstream issue: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5106 (confidential). Reported via PSIRTSUPT-17026 by JUNYI LIU / Moss (moss80199).
Note You need to log in before you can comment on or make changes to this bug.