Out-of-Bounds Read Vulnerability in GStreamer Plugin by Red Hat
CVE-2026-12891

4.3MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-12891?

A security flaw exists in the GStreamer gst-plugins-bad package that arises when handling a malformed H.266/VVC video stream designed with a crafted aspect ratio indicator. This flaw permits the H.266 parser to execute an out-of-bounds read of nearby memory, resulting in the potential leakage of limited memory contents through video metadata. Consequently, an attacker can create a malicious H.266 video file or stream that exposes sensitive information from the application's address space when processed by any GStreamer-based application.

References

https://access.redhat.com/security/cve/CVE-2026-12891

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2491318

issue-trackingx_refsource_REDHAT

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 22, 2026

Credit

Red Hat would like to thank Dr. Faruk Kazi (CoE-CNDS Lab, VJTI, Mumbai, India) and Ramesh Adhikari (CoE-CNDS Lab, VJTI, Mumbai, India) for reporting this issue.

CVE-2026-12891 Data

JSON