GStreamer
open source multimedia framework

GStreamer Spring Hackfest 2026

29-31 May 2026 ยท Nice, France

Join us!
Home
Features
News
Annual Conference
Planet (Blogs)
Download
Applications
Security Center
GitLab
Developers
Documentation
Forum
File a Bug
Artwork
Follow us on Bluesky
Follow us on Mastodon
Chat with us on Matrix

Security Advisory 2026-0025
Summary Insufficient validation in MOV/MP4 demuxer uncompressed video handling
Date 2026-05-11
Affected Versions GStreamer gst-plugins-good < 1.28.3
IDs GStreamer-SA-2026-0025

Details

Insufficient validation of stride requirements and width/height constraints for uncompressed video streams in the MOV/MP4 demuxer (qtdemux). The demuxer did not validate that the row alignment size met minimum stride requirements for the given video format, nor did it check that width and height values were compatible with the chroma subsampling format (4:2:0, 4:2:2, 4:1:1).

This affected all uncompressed video profiles supported by the uncC (Uncompressed Video) box in MOV/MP4 files.

Impact

A malicious third party could trigger a crash or denial of service by providing a crafted MOV/MP4 file with invalid uncompressed video parameters.

Solution

The gst-plugins-good 1.28.3 release addresses the issue. People using older versions of GStreamer should apply the patch and recompile.

References

The GStreamer project

CVE Database Entries

  • No CVE number assigned or pending

GStreamer 1.28.3 release

Patches

Report a problem on this page.