Fedora Account System
Red Hat Associate
Red Hat Customer
A heap buffer overflow was found in GStreamer's rfbsrc plugin (gst-plugins-bad, librfb component). In rfb_decoder_fill_rectangle(), when a malicious RFB/VNC server advertises a 16bpp RGB565 framebuffer and sends a Hextile-encoded update, the background fill path computes the destination offset using decoder->bytespp (2 bytes) but casts the destination to guint32* and writes one 32-bit value per pixel. For bytespp == 2, the framebuffer is allocated as 2 bytes per pixel, but the fill loop writes and advances by 4 bytes per pixel, causing a heap out-of-bounds write. File: subprojects/gst-plugins-bad/gst/librfb/rfbdecoder.c Function: rfb_decoder_fill_rectangle() A remote attacker controlling an RFB/VNC server can trigger this by having a client connect using rfbsrc. The demonstrated impact is heap-buffer-overflow and process abort. Since this is a heap out-of-bounds write on remote input, integrity impact is possible though code execution has not been demonstrated. Affected: GStreamer gst-plugins-bad (reproduced on 1.28.3) Fixed: Planned for GStreamer 1.28.5 Fix MR: https://gitlab.freedesktop.org/gstreamer/gstreamer-security/-/merge_requests/100 Upstream issue: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5173 (confidential) Advisory: GST-SA-2026-0063 Reporter: Clouditera Security; Z.ai Security; NSFOCUS PSIRT Ticket: PSIRTSUPT-19089