CVE-2026-1940

CVE-2026-1940

Name

CVE-2026-1940

Description

An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_ROUND_UP_2(lsize) used in the actual offset calculation. When lsize is an odd number, the parser advances more bytes than validated, causing OOB read.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
secalert@redhat.com	https://access.redhat.com/security/cve/CVE-2026-1940
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=2436932
secalert@redhat.com	https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4854
secalert@redhat.com	https://gstreamer.freedesktop.org/security/sa-2026-0001.html
secalert@redhat.com	https://security-tracker.debian.org/tracker/CVE-2026-1940

Type

URI

secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2026-1940

secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2436932

secalert@redhat.com

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4854

secalert@redhat.com

https://gstreamer.freedesktop.org/security/sa-2026-0001.html

secalert@redhat.com

https://security-tracker.debian.org/tracker/CVE-2026-1940

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:freedesktop:gst-plugins-good:1.0.0:::::::*`	gst-plugins-good	== None	== 1.0.0
`cpe:2.3:a:gstreamer:gstreamer::::::::`	gstreamer	>= None	< 1.28.1
`cpe:2.3:o:debian:debian_linux:11.0:::::::*`	debian_linux	== None	== 11.0
`cpe:2.3:o:debian:debian_linux:12.0:::::::*`	debian_linux	== None	== 12.0
`cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*`	enterprise_linux	== None	== 7.0
`cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*`	enterprise_linux	== None	== 8.0
`cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*`	enterprise_linux	== None	== 9.0
`cpe:2.3:o:redhat:enterprise_linux:10.0:::::::*`	enterprise_linux	== None	== 10.0

CPE URI

Source package

Min version

Max version

cpe:2.3:a:freedesktop:gst-plugins-good:1.0.0:*:*:*:*:*:*:*

gst-plugins-good

== None

== 1.0.0

cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*

gstreamer

>= None

< 1.28.1

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

debian_linux

== None

== 11.0

cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*

debian_linux

== None

== 12.0

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

enterprise_linux

== None

== 7.0

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

enterprise_linux

== None

== 8.0

cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

enterprise_linux

== None

== 9.0

cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*

enterprise_linux

== None

== 10.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
gstreamer	edge-main	1.28.0-r0	team/alpine-desktop <achill@achill.org>	possibly vulnerable
gstreamer	edge-main	1.26.10-r1	team/alpine-desktop <achill@achill.org>	possibly vulnerable
gstreamer	edge-main	1.26.10-r0	team/alpine-desktop <achill@achill.org>	possibly vulnerable
gstreamer	edge-main	1.26.9-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	edge-main	1.26.8-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	edge-main	1.26.7-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	edge-main	1.26.6-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	edge-main	1.26.5-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	edge-main	1.26.4-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	edge-main	1.26.3-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	edge-main	1.26.2-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	edge-main	1.26.1-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	edge-main	1.24.12-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	edge-main	1.24.11-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	edge-main	1.24.10-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	edge-main	1.24.9-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	edge-main	1.18.4-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
gstreamer	3.23-main	1.26.9-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	3.22-main	1.26.3-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	3.22-main	1.26.1-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	3.22-main	1.18.4-r0	None	possibly vulnerable
gstreamer	3.21-main	1.24.11-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	3.21-main	1.24.10-r0	Krassy Boykinov <kboykinov@teamcentrixx.com>	possibly vulnerable
gstreamer	3.21-main	1.18.4-r0	None	possibly vulnerable
gstreamer	3.20-main	1.24.10-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
gstreamer	3.20-main	1.24.9-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
gstreamer	3.20-main	1.18.4-r0	None	possibly vulnerable
gstreamer	3.19-main	1.22.12-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
gstreamer	3.19-main	1.18.4-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages