GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of stream headers within ASF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28843.

Multiple Vulnerabilities in GStreamer

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:6259 advisory.

    GStreamer is a streaming media framework based on graphs of filters which operate on media data. The     gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer.

    Security Fix(es):

    * GStreamer: GStreamer: Arbitrary code execution via ASF file processing (CVE-2026-2920)

    * GStreamer: GStreamer: Remote Code Execution via heap-based buffer overflow in JPEG parser     (CVE-2026-3082)

    * GStreamer: GStreamer: Remote Code Execution via Heap-based Buffer Overflow in rtpqdm2depay     (CVE-2026-3085)

    * GStreamer: GStreamer: Arbitrary code execution via RIFF palette integer overflow in AVI file handling     (CVE-2026-2921)

    * GStreamer: GStreamer: Remote Code Execution via Out-Of-Bounds Write in rtpqdm2depay (CVE-2026-3083)

    * GStreamer: GStreamer: Remote Code Execution via out-of-bounds write in RealMedia Demuxer (CVE-2026-2922)

    * GStreamer: GStreamer: Remote Code Execution via out-of-bounds write in DVB Subtitles handling     (CVE-2026-2923)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-4516 advisory.

    - -----------------------------------------------------------------------     Debian LTS Advisory DLA-4516-1              debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Utkarsh Gupta     March 30, 2026                              https://wiki.debian.org/LTS
    - -----------------------------------------------------------------------

    Package        : gst-plugins-ugly1.0     Version        : 1.18.4-2+deb11u2     CVE ID         : CVE-2026-2920 CVE-2026-2922

    Two vulnerabilities were discovered in gst-plugins-ugly1.0, a set of     GStreamer plugins from the ugly set.

    CVE-2026-2920

        The ASF demuxer did not validate the number of streams against         the size of its static streams array. A crafted ASF file with         more than 32 streams could cause a heap-based buffer overflow         and potentially allow code execution.

    CVE-2026-2922

        The RealMedia demuxer checked for too many video fragments after         writing to the fragment storage, allowing an out-of-bounds write.
        Additionally, an integer overflow in the fragment size check could         bypass the available data validation.

    For Debian 11 bullseye, these problems have been fixed in version     1.18.4-2+deb11u2.

    We recommend that you upgrade your gst-plugins-ugly1.0 packages.

    For the detailed security status of gst-plugins-ugly1.0 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/gst-plugins-ugly1.0

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0998-1 advisory.

    - CVE-2026-2920: GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability     (bsc#1259367).
    - CVE-2026-2922: GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution Vulnerability     (bsc#1259370).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability     allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with     this library is required to exploit this vulnerability but attack vectors may vary depending on the     implementation. The specific flaw exists within the processing of stream headers within ASF files. The     issue results from the lack of proper validation of the length of user-supplied data prior to copying it     to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the     context of the current process. Was ZDI-CAN-28843. (CVE-2026-2920)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 791d4b29-19fb-11f1-87cc-e73692421fef advisory.

    The GStreamer project reports multiple security vulnerabilities fixed in the 1.28.1 release:
    Twelve security vulnerabilities were addressed, including:
    These could lead to application crashes or potentially arbitrary code execution.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
304420	RHEL 10 : gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free (RHSA-2026:6259)	Nessus	Red Hat Local Security Checks	high
304248	Debian dla-4516 : gstreamer1.0-plugins-ugly - security update	Nessus	Debian Local Security Checks	high
303782	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : gstreamer-plugins-ugly (SUSE-SU-2026:0998-1)	Nessus	SuSE Local Security Checks	high
301741	Linux Distros Unpatched Vulnerability : CVE-2026-2920	Nessus	Misc.	high
301464	FreeBSD : gstreamer1 -- multiple vulnerabilities (791d4b29-19fb-11f1-87cc-e73692421fef)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2026-2920

high

Tenable Plugins

Coming Soon

high

high

high

high

high