CVE-2026-53701

Vulnerability

An out-of-bounds write vulnerability exists in GStreamer's H.266/VVC picture parameter set (PPS) picture partition parser, located in gst_h266_parser_parse_picture_partition() within gsth266parser.c of the gst-plugins-bad package. In the multi-slice-in-tile processing loop, the slice index is not validated against the bounds of three fixed-size arrays (slice_height_in_ctus, slice_top_left_ctu_x, slice_top_left_ctu_y) in the GstH266PPS structure. A crafted H.266/VVC media file can trigger this flaw [1][2]. All versions prior to the fix in GStreamer 1.28.3 are affected.

Exploitation

An attacker must supply a malicious H.266/VVC media file that contains a crafted PPS with a large number of slices in a tile. When the file is parsed by a GStreamer-based application (e.g., a media player or pipeline), the vulnerable loop iterates without a bounds check, writing out-of-bounds past the three arrays. The initial proof-of-concept demonstrated a 4-byte write, but the code permits larger write operations across multiple iterations [1][2]. No special privileges or authentication are required; only user interaction (opening the file) is needed.

Impact

Successful exploitation allows an out-of-bounds write, leading to memory corruption. This can result in arbitrary code execution in the context of the GStreamer process, or a denial of service via crash. The CVSS v3 base score is 6.5 (Medium) [1]. The scope of compromise depends on the process privileges, but media libraries often run in user space.

Mitigation

GStreamer fixed this vulnerability in version 1.28.3, released on 2026-05-29, with commit f66e8292ed and merge request !11581 [2]. Users should update gst-plugins-bad to the latest version. There is no known workaround; the flaw is in the parser itself. As of the publication date, the CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.