gstreamer1-plugins-bad-free-1.16.1-6.el8_10, gstreamer1-plugins-base-1.16.1-6.el8_10, gstreamer1-plugins-good-1.16.1-6.el8_10
エラータID: AXSA:2026-460:01
GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer.
Security Fix(es):
* GStreamer: GStreamer: Arbitrary code execution via ASF file processing (CVE-2026-2920)
* GStreamer: GStreamer: Remote Code Execution via heap-based buffer overflow in JPEG parser (CVE-2026-3082)
* GStreamer: GStreamer: Remote Code Execution via Heap-based Buffer Overflow in rtpqdm2depay (CVE-2026-3085)
* GStreamer: GStreamer: Arbitrary code execution via RIFF palette integer overflow in AVI file handling (CVE-2026-2921)
* GStreamer: GStreamer: Remote Code Execution via Out-Of-Bounds Write in rtpqdm2depay (CVE-2026-3083)
* GStreamer: GStreamer: Remote Code Execution via out-of-bounds write in DVB Subtitles handling (CVE-2026-2923)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2026-2920
GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of stream headers within ASF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28843.
CVE-2026-2921
GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of palette data in AVI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28854.
CVE-2026-2923
GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of coordinates. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28838.
CVE-2026-3082
GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of Huffman tables. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28840.
CVE-2026-3083
GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of X-QDM RTP payload elements. When parsing the packetid element, the process does not properly validate user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28850.
CVE-2026-3085
GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of X-QDM RTP payloads. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28851.
Update packages.
GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of stream headers within ASF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28843.
GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of palette data in AVI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28854.
GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of coordinates. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28838.
GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of Huffman tables. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28840.
GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of X-QDM RTP payload elements. When parsing the packetid element, the process does not properly validate user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28850.
GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of X-QDM RTP payloads. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28851.
N/A
SRPMS
- gstreamer1-plugins-bad-free-1.16.1-6.el8_10.src.rpm
MD5: d084de661331bd0899ce5a86f96ea1e9
SHA-256: af5d11f27dee64b12cfd93ddccd7c60a726d792a658e0320efee5153390d7eb2
Size: 5.03 MB - gstreamer1-plugins-base-1.16.1-6.el8_10.src.rpm
MD5: b6bd181890eebc0118bf54c5a68910a2
SHA-256: 6f149fa2e122cfdcfb451bb181592aaebefc480ae8cc4b65bdb8b519509315a7
Size: 3.78 MB - gstreamer1-plugins-good-1.16.1-6.el8_10.src.rpm
MD5: 9091e65b95cdf9023ad4a42933cf3f5c
SHA-256: a69aadd24b5d7adeaa870e1d0cf6ef5d440d15be4e4e89b00a86050dcd9cc0f1
Size: 3.75 MB
Asianux Server 8 for x86_64
- gstreamer1-plugins-bad-free-1.16.1-6.el8_10.i686.rpm
MD5: 726af925176d55d55e008fe6369f65f1
SHA-256: 2acf40ecb79d1d892899dd58197eaee40d0239c668013b1b20f029ae1982ccbf
Size: 1.91 MB - gstreamer1-plugins-bad-free-1.16.1-6.el8_10.x86_64.rpm
MD5: 4d90daf4dfb288453ee5181db883fafc
SHA-256: 940b917d2883dc064f88c01de204c2241f25ab1f6c93d8b06990f76f88b184a2
Size: 1.83 MB - gstreamer1-plugins-bad-free-devel-1.16.1-6.el8_10.i686.rpm
MD5: f3da47c0d84dc126a892497d25569345
SHA-256: 54fef4c28b56318f384b5ff93df34d0a6012319a0b82579d8197466305686c21
Size: 525.59 kB - gstreamer1-plugins-bad-free-devel-1.16.1-6.el8_10.x86_64.rpm
MD5: f689727ca8f74ab1e7c77d54db6c8a2d
SHA-256: 6bcd311b4f7e2418108ce5ca946f37a54048b886c856fa83fe942b1860e0b1d1
Size: 525.66 kB - gstreamer1-plugins-base-1.16.1-6.el8_10.i686.rpm
MD5: 319b3eb9bd4bc001f82edf3e0fa01221
SHA-256: c53d78891b3ecabe1d95f483f083f7305baa89fe17ea7bf5f55431eeaff9ae3b
Size: 2.03 MB - gstreamer1-plugins-base-1.16.1-6.el8_10.x86_64.rpm
MD5: 4f5596edacfe66a78a5eefcff80194de
SHA-256: 60442afd982338f87ba1d50c85c68fd6da2de9e0d51a72c6ebbf93743de0fcc4
Size: 1.95 MB - gstreamer1-plugins-base-devel-1.16.1-6.el8_10.i686.rpm
MD5: 80cde5639230605137b49283651ddb15
SHA-256: 9682ecab75f453e9c44124a8e680210787f7ab02e12f23d7dfda922e2c0b53ba
Size: 421.02 kB - gstreamer1-plugins-base-devel-1.16.1-6.el8_10.x86_64.rpm
MD5: 572b99a81d4f09786f828b98f77cfc99
SHA-256: 9eeba0450328d607f9a9ff25110aa10c570aad6eefeb08d6cd76437567fefa67
Size: 421.10 kB - gstreamer1-plugins-good-1.16.1-6.el8_10.i686.rpm
MD5: 7e7f8d0c991e8035164d65c76b670b27
SHA-256: 32b1fba9feab6fa5cc6ccc599e6aac9e45bd6e3dd51966a0207b8b6c95fc2e85
Size: 2.37 MB - gstreamer1-plugins-good-1.16.1-6.el8_10.x86_64.rpm
MD5: b8975ead118db23df1d628f8b5c9e64f
SHA-256: dad50f1c0e265b52688ea9221e9611e54f11364f62128b6eb8262305e9d884f1
Size: 2.29 MB - gstreamer1-plugins-good-gtk-1.16.1-6.el8_10.i686.rpm
MD5: 225cb1cf92961327ad9f0554401ca707
SHA-256: a9acda46533b1f0cfb17f41fb2f1e142dc855caf134c495f0154bb15882f0eee
Size: 37.79 kB - gstreamer1-plugins-good-gtk-1.16.1-6.el8_10.x86_64.rpm
MD5: 5c93b1e3b0c85b5be5b9316c918b488a
SHA-256: abdef4268dcba5b76b670d8afac6bbba9aaff79a0acec08e64db49e59c244a35
Size: 36.59 kB