rpms/gstreamer1
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

[security][HIGH] gstreamer1 1.28.0: 11 CVE require triage #1

New issue
Open
opened 2026-05-25 20:44:29 +03:00 by sbelikov · 0 comments
sbelikov commented 2026-05-25 20:44:29 +03:00
Owner
Copy link

CVE triage request / Запрос на разбор CVE

Package / Пакет

  • Package: gstreamer1
  • Version: 1.28.0
  • EVR: 1.28.0-1
  • Category: -
  • Policy class: -
  • NiceOS policy class: -
  • Owner: -
  • Severity: HIGH
  • Max CVSS: 8.8
  • CVE count: 11
  • Included NiceOS statuses: needs_triage
  • Included match types: cpe-range

LLM recommendation / Рекомендация LLM

RU

Для пакета gstreamer1 1.28.0 найдены CVE-кандидаты по данным NVD/CPE: CVE-2026-1940, CVE-2026-2920, CVE-2026-2921, CVE-2026-2922, CVE-2026-2923, CVE-2026-3081, CVE-2026-3082, CVE-2026-3083, CVE-2026-3084, CVE-2026-3085, CVE-2026-3086. Требуется triage security-team.

Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета.

Риски: Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС.

EN

NVD/CPE candidate CVEs were found for gstreamer1 1.28.0: CVE-2026-1940, CVE-2026-2920, CVE-2026-2921, CVE-2026-2922, CVE-2026-2923, CVE-2026-3081, CVE-2026-3082, CVE-2026-3083, CVE-2026-3084, CVE-2026-3085, CVE-2026-3086. Security-team triage is required.

Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required.

Recommended action: needs_triage

Target version hint: -

Tests: Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests.

Risks: An automatic NVD/CPE match is not the final NiceOS vulnerability verdict.

CVE candidates from NVD/CPE

CVE Severity CVSS Match Confidence NiceOS status Fixed in Existing issue Reason
CVE-2026-3083 HIGH 8.8 cpe-range 83 needs_triage package version is inside version range
CVE-2026-3085 HIGH 8.8 cpe-range 83 needs_triage package version is inside version range
CVE-2026-2920 HIGH 7.8 cpe-range 83 needs_triage package version is inside version range
CVE-2026-2921 HIGH 7.8 cpe-range 83 needs_triage package version is inside version range
CVE-2026-2922 HIGH 7.8 cpe-range 83 needs_triage package version is inside version range
CVE-2026-2923 HIGH 7.8 cpe-range 83 needs_triage package version is inside version range
CVE-2026-3081 HIGH 7.8 cpe-range 83 needs_triage package version is inside version range
CVE-2026-3082 HIGH 7.8 cpe-range 83 needs_triage package version is inside version range
CVE-2026-3084 HIGH 7.8 cpe-range 83 needs_triage package version is inside version range
CVE-2026-3086 HIGH 7.8 cpe-range 83 needs_triage package version is inside version range
CVE-2026-1940 HIGH 7.5 cpe-range 83 needs_triage package version is inside version range

Descriptions

CVE-2026-3083

GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the processing of X-QDM RTP payload elements. When parsing the packetid element, the process does not properly validate user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28850.

CVE-2026-3085

GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the processing of X-QDM RTP payloads. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28851.

CVE-2026-2920

GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the processing of stream headers within ASF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28843.

CVE-2026-2921

GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the handling of palette data in AVI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28854.

CVE-2026-2922

GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the processing of video packets. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28845.

CVE-2026-2923

GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the handling of coordinates. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28838.

CVE-2026-3081

GStreamer H.266 Codec Parser Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the parsing of decoding units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28839.

CVE-2026-3082

GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the processing of Huffman tables. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28840.

CVE-2026-3084

GStreamer H.266 Codec Parser Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the parsing of picture partitions. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28910.

CVE-2026-3086

GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the processing of APS units. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28911.

CVE-2026-1940

An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_ROUND_UP_2(lsize) used in the actual offset calculation. When lsize is an odd number, the parser advances more bytes than validated, causing OOB read.

Scanner integration / Интеграция со сканером

This issue was generated from niceos_cve_matches after the SPEC/Forgejo evidence pass.
After real creation, this script writes forgejo_issue_open rows into niceos_cve_evidence and marks the selected CVE rows as issue_open, so the next scanner/creator run does not duplicate the issue.

Maintainer checklist

  • Verify whether each CVE applies to the NiceOS build.
  • Compare NVD data with upstream/vendor advisory.
  • Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
  • If affected, decide update/backport strategy according to package policy class.
  • Run package-class-specific build, upgrade and regression tests.
  • Add/update niceos_cve_triage entry.
  • Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2026-1940",
    "CVE-2026-2920",
    "CVE-2026-2921",
    "CVE-2026-2922",
    "CVE-2026-2923",
    "CVE-2026-3081",
    "CVE-2026-3082",
    "CVE-2026-3083",
    "CVE-2026-3084",
    "CVE-2026-3085",
    "CVE-2026-3086"
  ],
  "fingerprint": "10bd0c922149d4a806f6",
  "generated_at": "2026-05-25T17:44:29Z",
  "match_ids": [
    1386,
    1387,
    1388,
    1389,
    1390,
    1391,
    1392,
    1393,
    1394,
    1395,
    1396
  ],
  "match_types": [
    "cpe-range"
  ],
  "package": "gstreamer1",
  "prompt_version": "niceos_cve_issue_analysis_v2",
  "statuses": [
    "needs_triage"
  ],
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "2.0",
  "version": "1.28.0"
}
<!-- niceos-cve-fingerprint: 10bd0c922149d4a806f6 --> <!-- niceos-cve-package: gstreamer1 --> <!-- niceos-cve-cves: CVE-2026-1940, CVE-2026-2920, CVE-2026-2921, CVE-2026-2922, CVE-2026-2923, CVE-2026-3081, CVE-2026-3082, CVE-2026-3083, CVE-2026-3084, CVE-2026-3085, CVE-2026-3086 --> <!-- niceos-cve-source: niceos_cve_scan_packages_auto_cpe --> # CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `gstreamer1` - Version: `1.28.0` - EVR: `1.28.0-1` - Category: `-` - Policy class: `-` - NiceOS policy class: `-` - Owner: `-` - Severity: `HIGH` - Max CVSS: `8.8` - CVE count: `11` - Included NiceOS statuses: `needs_triage` - Included match types: `cpe-range` ## LLM recommendation / Рекомендация LLM ### RU Для пакета gstreamer1 1.28.0 найдены CVE-кандидаты по данным NVD/CPE: CVE-2026-1940, CVE-2026-2920, CVE-2026-2921, CVE-2026-2922, CVE-2026-2923, CVE-2026-3081, CVE-2026-3082, CVE-2026-3083, CVE-2026-3084, CVE-2026-3085, CVE-2026-3086. Требуется triage security-team. Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета. **Риски:** Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС. ### EN NVD/CPE candidate CVEs were found for gstreamer1 1.28.0: CVE-2026-1940, CVE-2026-2920, CVE-2026-2921, CVE-2026-2922, CVE-2026-2923, CVE-2026-3081, CVE-2026-3082, CVE-2026-3083, CVE-2026-3084, CVE-2026-3085, CVE-2026-3086. Security-team triage is required. Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests. **Risks:** An automatic NVD/CPE match is not the final NiceOS vulnerability verdict. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | Confidence | NiceOS status | Fixed in | Existing issue | Reason | |---|---|---:|---|---:|---|---|---|---| | CVE-2026-3083 | HIGH | 8.8 | cpe-range | 83 | needs_triage | | | package version is inside version range | | CVE-2026-3085 | HIGH | 8.8 | cpe-range | 83 | needs_triage | | | package version is inside version range | | CVE-2026-2920 | HIGH | 7.8 | cpe-range | 83 | needs_triage | | | package version is inside version range | | CVE-2026-2921 | HIGH | 7.8 | cpe-range | 83 | needs_triage | | | package version is inside version range | | CVE-2026-2922 | HIGH | 7.8 | cpe-range | 83 | needs_triage | | | package version is inside version range | | CVE-2026-2923 | HIGH | 7.8 | cpe-range | 83 | needs_triage | | | package version is inside version range | | CVE-2026-3081 | HIGH | 7.8 | cpe-range | 83 | needs_triage | | | package version is inside version range | | CVE-2026-3082 | HIGH | 7.8 | cpe-range | 83 | needs_triage | | | package version is inside version range | | CVE-2026-3084 | HIGH | 7.8 | cpe-range | 83 | needs_triage | | | package version is inside version range | | CVE-2026-3086 | HIGH | 7.8 | cpe-range | 83 | needs_triage | | | package version is inside version range | | CVE-2026-1940 | HIGH | 7.5 | cpe-range | 83 | needs_triage | | | package version is inside version range | ## Descriptions ### CVE-2026-3083 GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of X-QDM RTP payload elements. When parsing the packetid element, the process does not properly validate user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28850. ### CVE-2026-3085 GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of X-QDM RTP payloads. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28851. ### CVE-2026-2920 GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of stream headers within ASF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28843. ### CVE-2026-2921 GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of palette data in AVI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28854. ### CVE-2026-2922 GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of video packets. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28845. ### CVE-2026-2923 GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of coordinates. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28838. ### CVE-2026-3081 GStreamer H.266 Codec Parser Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of decoding units. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28839. ### CVE-2026-3082 GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of Huffman tables. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28840. ### CVE-2026-3084 GStreamer H.266 Codec Parser Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of picture partitions. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28910. ### CVE-2026-3086 GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of APS units. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28911. ### CVE-2026-1940 An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_ROUND_UP_2(lsize) used in the actual offset calculation. When lsize is an odd number, the parser advances more bytes than validated, causing OOB read. ## Scanner integration / Интеграция со сканером This issue was generated from `niceos_cve_matches` after the SPEC/Forgejo evidence pass. After real creation, this script writes `forgejo_issue_open` rows into `niceos_cve_evidence` and marks the selected CVE rows as `issue_open`, so the next scanner/creator run does not duplicate the issue. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2026-1940", "CVE-2026-2920", "CVE-2026-2921", "CVE-2026-2922", "CVE-2026-2923", "CVE-2026-3081", "CVE-2026-3082", "CVE-2026-3083", "CVE-2026-3084", "CVE-2026-3085", "CVE-2026-3086" ], "fingerprint": "10bd0c922149d4a806f6", "generated_at": "2026-05-25T17:44:29Z", "match_ids": [ 1386, 1387, 1388, 1389, 1390, 1391, 1392, 1393, 1394, 1395, 1396 ], "match_types": [ "cpe-range" ], "package": "gstreamer1", "prompt_version": "niceos_cve_issue_analysis_v2", "statuses": [ "needs_triage" ], "tool": "niceos_cve_create_issues.py", "tool_version": "2.0", "version": "1.28.0" } ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
niceos-5.2
No results found.
Labels
Clear labels   
auto-analysis
Created by niceos_cve_create_issues.py

  
cve
Created by niceos_cve_create_issues.py

  
match-cpe-range
Created by niceos_cve_create_issues.py

  
needs-triage
Created by niceos_cve_create_issues.py

  
security
Created by niceos_cve_create_issues.py

  
severity-high
Created by niceos_cve_create_issues.py

  
source-niceos-scan
Created by niceos_cve_create_issues.py

  
source-nvd
Created by niceos_cve_create_issues.py

No labels
auto-analysis
cve
match-cpe-range
needs-triage
security
severity-high
source-niceos-scan
source-nvd
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rpms/gstreamer1#1
No description provided.