Denial of Service Risk in GStreamer Audio Processing by Vendor GStreamer
CVE-2026-46470

4MEDIUM

Key Information:

Vendor: Gstreamer
Status: Good Plug-ins
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-46470?

A flaw in the GStreamer gst-plugins-good package allows maliciously crafted MP4 audio tracks to trigger failures during parsing. Specifically, the isomp4 plugin’s qtdemux_audio_caps function lacks proper validation of atom data, creating a risk of denial of service through integer division by zero operations. This security hole affects versions prior to 1.28.2, necessitating prompt updates to safeguard against potential attacks.

Affected Version(s)

Good Plug-ins 0 < 1.28.2

References

https://gstreamer.freedesktop.org/security/sa-2026-0018.html

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merg...

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 14, 2026

CVE-2026-46470 Data

JSON

Gstreamer

What is CVE-2026-46470?

Affected Version(s)

References

CVSS V3.1

Timeline