GStreamer
open source multimedia framework
Home
Features
News
Annual Conference
Planet (Blogs)
Download
Applications
Security Center
GitLab
Developers
Documentation
Forum
File a Bug
Artwork
Follow us on Bluesky
Follow us on Mastodon
Chat with us on Matrix

Security Advisory 2026-0045 (CVE-2026-52721)
Summary Out-of-bounds reads in PCAP parser due to missing bounds checks
Date 2026-06-16
Affected Versions GStreamer gst-plugins-bad < 1.28.5
IDs GStreamer-SA-2026-0045
CVE-2026-52721

Details

Multiple out-of-bounds read vulnerabilities in the pcapparse element (PCAP file parser) in gst-plugins-bad. The parser trusts header-derived offsets and lengths from IPv4 and TCP packets without verifying they fit within the captured PCAP record. Specifically, the IPv4 IHL field, IPv4 total length field, and TCP data offset field were used to compute buffer pointers and payload sizes without sufficient bounds validation. This allowed crafted PCAP files with oversized header fields or truncated packet data to trigger reads beyond the allocated buffer.

Impact

A malicious third party could trigger out-of-bounds reads by providing a crafted PCAP file with malformed IPv4 or TCP header fields, potentially resulting in a crash, denial of service, or information disclosure.

Solution

The gst-plugins-bad 1.28.5 release addresses the issue. People using older versions of GStreamer should apply the patch and recompile.

References

The GStreamer project

CVE Database Entries

GStreamer 1.28.5 release

Note: This advisory was published before the GStreamer 1.28.5 release since the CVE numbering authority accidentally released the CVE details ahead of schedule. The release is planned for early July 2026.

Patches

Report a problem on this page.