WebRTC Component Logic Vulnerability in GStreamer Software
CVE-2026-14935

3.7LOW

What is CVE-2026-14935?

A logic flaw in GStreamer's webrtcbin component allows the _check_sdp_crypto() function to incorrectly accept remote SDP offers that lack the essential a=fingerprint attribute, while erroneously rejecting valid ones. This vulnerability poses a significant risk as an attacker capable of intercepting and modifying WebRTC signaling messages could exploit it to bypass the crucial SDP-level DTLS certificate fingerprint binding. Such a scenario weakens defenses against man-in-the-middle attacks, potentially leading to compromised media streams.

References

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Clouditera Security (Clouditera), NSFOCUS (NSFOCUS), and Z.ai Security (Z.ai) for reporting this issue.
.