Unrated severityNVD Advisory· Published Mar 13, 2026· Updated Mar 18, 2026
GStreamer H.266 Codec Parser Integer Underflow Remote Code Execution Vulnerability
CVE-2026-3084
Description
GStreamer H.266 Codec Parser Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the parsing of picture partitions. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28910.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/496e4f296e658fba7fd40027d3bbe6095633ec91mitrevendor-advisory
- www.zerodayinitiative.com/advisories/ZDI-26-169/mitrex_research-advisory
News mentions
12- ZDI-26-283: GStreamer qtdemux Stack-based Buffer Overflow Remote Code Execution VulnerabilityZero Day Initiative · Apr 15, 2026
- ZDI-26-166: GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-169: GStreamer H.266 Codec Parser Integer Underflow Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-168: GStreamer RIFF Palette Integer Overflow Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-170: GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-161: GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-163: GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-164: GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-162: GStreamer H.266 Codec Parser Stack-based Buffer Overflow Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-167: GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- ZDI-26-165: GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution VulnerabilityZero Day Initiative · Mar 6, 2026
- Siemens SIMATICCISA Alerts