Out-of-Bounds Read Vulnerability in GStreamer's VA JPEG Decoder
CVE-2026-52719

7.1HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Vendor
CVE Published:
15 June 2026

What is CVE-2026-52719?

A vulnerability exists in the VA JPEG decoder of GStreamer's gst-plugins-bad due to insufficient validation of segment lengths read from JPEG bitstreams. This flaw allows a remote attacker to craft a malicious JPEG file that, when opened by a user, may cause the parser to read beyond the buffer allocated for input. This can result in application crashes and could potentially expose sensitive information, compromising the integrity and confidentiality of the system.

References

https://access.redhat.com/security/cve/CVE-2026-52719
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2486353
issue-trackingx_refsource_REDHAT
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work...

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank JUNYI LIU for reporting this issue.
.