WebRTC Component Logic Vulnerability in GStreamer Software
CVE-2026-14935
3.7LOW
What is CVE-2026-14935?
A logic flaw in GStreamer's webrtcbin component allows the _check_sdp_crypto() function to incorrectly accept remote SDP offers that lack the essential a=fingerprint attribute, while erroneously rejecting valid ones. This vulnerability poses a significant risk as an attacker capable of intercepting and modifying WebRTC signaling messages could exploit it to bypass the crucial SDP-level DTLS certificate fingerprint binding. Such a scenario weakens defenses against man-in-the-middle attacks, potentially leading to compromised media streams.
References
CVSS V3.1
Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Red Hat would like to thank Clouditera Security (Clouditera), NSFOCUS (NSFOCUS), and Z.ai Security (Z.ai) for reporting this issue.