Bug 2497343 (CVE-2026-59691) - CVE-2026-59691 gstreamer: gstreamer: rfbsrc/librfb Hextile heap out-of-bounds write with 16bpp framebuffer
Summary: CVE-2026-59691 gstreamer: gstreamer: rfbsrc/librfb Hextile heap out-of-bounds...
Keywords:
Status: NEW
Alias: CVE-2026-59691
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-06 13:42 UTC by OSIDB Bzimport
Modified: 2026-07-09 09:27 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-06 13:42:12 UTC
A heap buffer overflow was found in GStreamer's rfbsrc plugin (gst-plugins-bad, librfb component). In rfb_decoder_fill_rectangle(), when a malicious RFB/VNC server advertises a 16bpp RGB565 framebuffer and sends a Hextile-encoded update, the background fill path computes the destination offset using decoder->bytespp (2 bytes) but casts the destination to guint32* and writes one 32-bit value per pixel. For bytespp == 2, the framebuffer is allocated as 2 bytes per pixel, but the fill loop writes and advances by 4 bytes per pixel, causing a heap out-of-bounds write.

File: subprojects/gst-plugins-bad/gst/librfb/rfbdecoder.c
Function: rfb_decoder_fill_rectangle()

A remote attacker controlling an RFB/VNC server can trigger this by having a client connect using rfbsrc. The demonstrated impact is heap-buffer-overflow and process abort. Since this is a heap out-of-bounds write on remote input, integrity impact is possible though code execution has not been demonstrated.

Affected: GStreamer gst-plugins-bad (reproduced on 1.28.3)
Fixed: Planned for GStreamer 1.28.5
Fix MR: https://gitlab.freedesktop.org/gstreamer/gstreamer-security/-/merge_requests/100
Upstream issue: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5173 (confidential)
Advisory: GST-SA-2026-0063

Reporter: Clouditera Security; Z.ai Security; NSFOCUS
PSIRT Ticket: PSIRTSUPT-19089


Note You need to log in before you can comment on or make changes to this bug.