| Name | CVE-2026-53702 |
| Description | A stack buffer overflow flaw was found in the GStreamer H.265 codec parser library (gst-plugins-bad). When parsing a buffering period SEI message, the parser uses an incorrect loop bound derived from cpb_cnt_minus1[i] (the loop index) instead of the sub-layer 0 CPB count cpb_cnt_minus1[0] from the referenced Sequence Parameter Set. A crafted H.265 video file or stream can cause the parser to write beyond the bounds of stack-allocated CPB delay arrays, resulting in a crash or potential stack memory corruption. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| gst-plugins-bad1.0 (PTS) | bullseye | 1.18.4-3+deb11u4 | vulnerable |
| bullseye (security) | 1.18.4-3+deb11u6 | vulnerable | |
| bookworm, bookworm (security) | 1.22.0-4+deb12u7 | vulnerable | |
| trixie (security), trixie | 1.26.2-3+deb13u1 | vulnerable | |
| forky, sid | 1.28.3-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| gst-plugins-bad1.0 | source | (unstable) | 1.28.3-1 |
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11334
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/48c11b7b014aad4fa67385df68220a03cb49ae5d (main)
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/974fa2b0fbe715955b4e4f3a6bd7e80d0d782350 (man)
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/6c0de3d4952f9b79415ce090ef216c829260226b (1.28.3)
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/890aa461742661a1f5a67b69ba608f61e779c23c (1.28.3)
Backport for 1.26: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11341