| Name | CVE-2026-1940 |
| Description | An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_ROUND_UP_2(lsize) used in the actual offset calculation. When lsize is an odd number, the parser advances more bytes than validated, causing OOB read. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| gst-plugins-good1.0 (PTS) | bullseye | 1.18.4-2+deb11u2 | vulnerable |
| bullseye (security) | 1.18.4-2+deb11u4 | vulnerable | |
| bookworm | 1.22.0-5+deb12u3 | vulnerable | |
| bookworm (security) | 1.22.0-5+deb12u2 | vulnerable | |
| trixie | 1.26.2-1 | vulnerable | |
| forky, sid | 1.28.1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| gst-plugins-good1.0 | source | (unstable) | 1.28.1-1 |
[trixie] - gst-plugins-good1.0 <no-dsa> (Minor issue)
[bookworm] - gst-plugins-good1.0 <no-dsa> (Minor issue)
[bullseye] - gst-plugins-good1.0 <postponed> (Minor issue, OOB read)
https://gstreamer.freedesktop.org/security/sa-2026-0001.html
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ce2e822775bc5d192009617827bb6e9f0f98ca22 (main)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e7789e43cc9cf409e973949ebb4107c49c7ce4cd (main)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/4778ee36e5f200edbca279159448030925667fb7 (main)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5d1ca7b2d735de78cc65c06b827ccb0048f84b9a (main)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e742802aa7de256e7012936de5436c31cde192c3 (main)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1171ae8ac218ea85f8dc41203a2ee146ff322a20 (1.28.1)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/3564405b6919469427750f6b89d4abbe43534fa2 (1.28.1)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c73a1f4427ecb2e77d00fdd9576bd9864cfaba97 (1.28.1)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8822ee3b2397d865c21cbbd8e36fb2d64d6ab380 (1.28.1)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/081484ec99aa75fe24b3286d88e1f1280deea56a (1.28.1)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e77b18aff5317dfe881bc62be20c80a5a0f83bdc (1.26.11)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5484aa812130a3632adcfaf7403524ed2e422e04 (1.26.11)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fa3b28d17ff1e82407e74499d6b08a3fe39755cc (1.26.11)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/8153ccf4fa02ffd6b5608b666fc2532721804086 (1.26.11)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5fe1ccfa0cd6c9f7350dff703d1bf0d82de99b0e (1.26.11)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/d785c115c8ca9e68b165440933d307c02c69ee53 (1.24 branch)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/961586ce317c6cd9ddb28eec2cabd243418a662a (1.24 branch)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/20749ec7baa3e30376f6dde3029c531e2d396a27 (1.24 branch)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ff79ffc4488acbc30e5af78195fe2d321bed991b (1.24 branch)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/62d390f499a21ef8b42f8b7a51300373fcebfee3 (1.24 branch)