CVE-2026-52718

Vulnerability

A denial of service vulnerability exists in GStreamer's AV1 codec parser within gst-plugins-bad. The function gst_av1_parser_parse_tile_list_obu() in gstav1parser.c passes a byte count to gst_bit_reader_skip(), which expects a bit count, causing parser desynchronization [1]. This leads to a deterministic g_assert abort when processing a specially crafted AV1 media file. The issue affects GStreamer versions prior to the planned fix in 1.28.4 or 1.28.5 [3].

Exploitation

A remote attacker can cause a denial of service by tricking a user into opening a malicious AV1 file. No authentication or special privileges are required; the victim only needs to play the file using a GStreamer-based application. A 21-byte test case is sufficient to trigger the crash [3].

Impact

Successful exploitation results in an application crash due to an assertion abort, leading to denial of service. There is no evidence of code execution, information disclosure, or privilege escalation.

Mitigation

The GStreamer project plans to fix this vulnerability in version 1.28.4 or 1.28.5 [3]. Until a patched version is released, users should avoid opening untrusted AV1 media files. No workarounds are available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.