CVE-2026-12892

Sažetak

A flaw was found in GStreamer's gst-plugins-bad package. When processing a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units, a 1-byte heap out-of-bounds read can occur during parsing. This happens when the parser attempts to check slice boundary information without first verifying that the NAL unit contains enough data beyond the extension header. An attacker could exploit this by tricking a user into opening a malicious H.264 video file, potentially causing the application to crash or leak a single byte of heap memory.

Reference

https://access.redhat.com/security/cve/CVE-2026-12892
https://bugzilla.redhat.com/show_bug.cgi?id=2491321
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5108

CVSS

Base:	4.4
Impact:	2.5
Exploitability:	1.8

Pristup

Vektor	Složenost	Autentikacija
LOCAL	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	NONE	LOW

CVSS vektor

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

Zadnje važnije ažuriranje

23-06-2026 - 21:16

Objavljeno

23-06-2026 - 21:16