CVE-2026-52722

Vulnerability

The vulnerability resides in GStreamer's VMnc decoder within gst-plugins-bad, specifically in vmncdec.c at line 408. The cursor payload size computation datalen += rect->width * rect->height * dec->format.bytes_per_pixel * 2 uses signed 32-bit arithmetic. A crafted VMnc stream with large cursor dimensions (e.g., 65535 x 65535) causes a signed integer overflow, resulting in a small or negative datalen. This bypasses the subsequent length check (if (len < datalen)), leading to a tiny heap allocation via g_malloc(size). The rendering loop in render_colour_cursor() then uses the original large width/height values, causing out-of-bounds reads beyond the allocated buffer. Affected versions are those before the planned fix in GStreamer 1.28.4 [2].

Exploitation

An attacker must trick a user into opening a specially crafted VMnc file. No authentication or special privileges are required; the vulnerability is triggered during normal playback of the malicious file. The attacker crafts a VMnc stream with large cursor dimensions (e.g., 65535 x 65535) that cause the signed integer overflow. The overflow leads to a small buffer allocation, and subsequent rendering reads beyond the buffer, potentially accessing adjacent heap memory [2].

Impact

Successful exploitation can cause a crash (denial of service) or potentially information disclosure via out-of-bounds reads. The attacker gains no code execution; the impact is limited to reading adjacent heap memory. The vulnerability is rated High with a CVSS v3 score of 7.1 [2].

Mitigation

A fix is planned for GStreamer 1.28.4. As of the publication date (2026-06-15), no official patch has been released. Users should update to the fixed version when available. No workarounds are documented. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [2].