CVE-2026-52720

Vulnerability

A heap buffer overflow vulnerability exists in rfbdecoder.c within GStreamer's librfb (RFB/VNC client), part of gst-plugins-bad. The flawed bounds check improperly validates rectangle area rather than individual dimensions: if (((w * h) + (x * y)) > (decoder->width * decoder->height)). This allows a malicious VNC server to send a FramebufferUpdate with crafted x, y, w, h values (e.g., x=0, y=0, w=2000, h=1 on a 1920-wide framebuffer) that pass this check but result in a rectangle extending beyond the allocated framebuffer. Versions prior to the fix planned for GStreamer 1.28.4 are affected [2].

Exploitation

An attacker needs only to host a malicious VNC server and trick a user into connecting to it (no authentication required). The raw encoding function performs memcpy(frame, p, raw_line_size) where raw_line_size = w * bytespp. When crafted values are used, raw_line_size exceeds the framebuffer line length, causing an out-of-bounds heap write. The vulnerable code path is triggered during normal FramebufferUpdate processing without any special user interaction beyond the initial connection [2].

Impact

Successful exploitation allows a remote attacker to write controlled data past the end of the framebuffer heap buffer. This out-of-bounds write can corrupt adjacent heap memory, potentially leading to arbitrary code execution in the context of the GStreamer process, or cause a denial of service via crash [2]. The attacker gains the capability to execute arbitrary code or crash the application, depending on heap layout and exploitability.

Mitigation

A fix is planned for GStreamer 1.28.4, as confirmed upstream by maintainer Sebastian Dröge on 2026-06-02 [2]. Users should update to that version once released. No workaround is available for unpatched versions. The upstream issue is tracked at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5105 (currently confidential) [3]. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.