2487615 – (CVE-2026-53705) CVE-2026-53705 gstreamer1-plugins-good: GStreamer: Heap buffer overflow in WavPack decoder via integer overflow

Bug 2487615 (CVE-2026-53705) - CVE-2026-53705 gstreamer1-plugins-good: GStreamer: Heap buffer overflow in WavPack decoder via integer overflow

Summary: CVE-2026-53705 gstreamer1-plugins-good: GStreamer: Heap buffer overflow in Wa...

Keywords:
Status:	NEW
Alias:	CVE-2026-53705
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2488946
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-10 16:16 UTC by OSIDB Bzimport
Modified:	2026-06-15 16:38 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-10 16:16:05 UTC

GStreamer WavPack decoder heap buffer overflow via integer overflow. In gst_wavpack_dec_handle_frame() (gstwavpackdec.c), the allocation g_malloc(4 * wph.block_samples * dec->channels) uses unchecked 32-bit arithmetic. With block_samples=0x20000001 and stereo, the multiplication wraps to 8 bytes; WavpackUnpackSamples() then writes ~4 GiB past the allocation. Affects 64-bit RHEL (arithmetic is 32-bit before size_t promotion). Fix pending in GStreamer 1.28.4. Reported via PSIRTSUPT-8879 by Seung Min Shin.

Note You need to log in before you can comment on or make changes to this bug.