VYPR
← All advisories
High severity7.1NVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2026-52719

CVE-2026-52719

Description

An out-of-bounds read in GStreamer's VA JPEG decoder can crash or leak memory when a crafted JPEG file provides an invalid segment length.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An out-of-bounds read in GStreamer's VA JPEG decoder can crash or leak memory when a crafted JPEG file provides an invalid segment length.

Vulnerability

An out-of-bounds read vulnerability exists in the VA JPEG decoder within GStreamer's gst-plugins-bad library. In gstjpegparser.c, the gst_jpeg_parse() function reads a segment length value from the JPEG bitstream without validating it against the available data buffer. The VA JPEG decoder path then trusts this unvalidated seg->size value and constructs a byte reader over an inflated range, resulting in a read past the allocated buffer. Affected versions are GStreamer before 1.28.4 or 1.28.5 (fix pending). The code itself comments that "a valid segment may be returned with a length that exceeds the available data," acknowledging the flaw [2].

Exploitation

An attacker must craft a special JPEG file that includes a segment length field larger than the remaining input data. To trigger the vulnerability, the attacker would need to trick a user or system into processing the malicious JPEG file through an application using GStreamer's VA decoder path. No authentication or special network position is required beyond delivering the file (e.g., via web download, email attachment, or media stream). The exploit sequence is: the JPEG parser reads the oversized segment length, the VA decoder trusts it, and the byte reader attempts to access memory beyond the buffer boundary [2].

Impact

If successful, the out-of-bounds read can cause a crash (denial of service) or result in the disclosure of sensitive heap memory contents (information disclosure). The impact scope is limited to the process hosting the GStreamer decoder; no direct code execution is indicated in the references, but memory corruption could potentially be leveraged further depending on the application [2].

Mitigation

A fix is planned for GStreamer 1.28.4 or 1.28.5 as confirmed by maintainer Sebastian Dröge [2]. Users should upgrade to the patched version once released. As a workaround, applications can avoid using the VA JPEG decoder path or disable processing of untrusted JPEG files until the patch is applied. No CISA KEV listing is mentioned in the references.

References
  1. Out-of-bounds read via JPEG segment length validation in VA decoder

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.