Main Vulnerability Database Vulnerabilities #VU132159

Heap-based buffer overflow in gst-plugins-good and gstreamer - CVE-2026-39043

Published: May 22, 2026

Vulnerability identifier: #VU132159

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-39043

CWE-ID: CWE-122

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GStreamer

Affected software:
gst-plugins-good
gstreamer

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to a heap-based buffer overflow in the Matroska demuxer when parsing a crafted Matroska file with bz2-compressed tracks. A remote attacker can provide a specially crafted Matroska file to execute arbitrary code.

The issue can also cause an application crash.

How to mitigate CVE-2026-39043

Install security update from vendor's website.

Sources

https://gstreamer.freedesktop.org/security/sa-2026-0022.html
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11248.patch

Heap-based buffer overflow in gst-plugins-good and gstreamer - CVE-2026-39043

Detailed vulnerability description

How to mitigate CVE-2026-39043

Sources

Please verify you're human