Unrated severityNVD Advisory· Published Mar 13, 2026· Updated Mar 29, 2026
GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability
CVE-2026-2921
Description
GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the handling of palette data in AVI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28854.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e3a99c35266fc92dd6a18ac5fde028d0cda559e6mitrevendor-advisory
- www.zerodayinitiative.com/advisories/ZDI-26-168/mitrex_research-advisory
News mentions
12- ZDI-26-283: GStreamer qtdemux Stack-based Buffer Overflow Remote Code Execution VulnerabilityZero Day Initiative · Apr 15, 2026
- ZDI-26-166: GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-169: GStreamer H.266 Codec Parser Integer Underflow Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-168: GStreamer RIFF Palette Integer Overflow Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-170: GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-161: GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-163: GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-164: GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-162: GStreamer H.266 Codec Parser Stack-based Buffer Overflow Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-167: GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-165: GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- Siemens SIMATICCISA Alerts