CVE-2026-53702

Vulnerability

A stack buffer overflow exists in the gst_h265_parse_buffering_period() function of the GStreamer H.265 codec parser library (part of gst-plugins-bad). The parser incorrectly uses cpb_cnt_minus1[i] (the loop index from the buffering period SEI message) as the loop bound, instead of cpb_cnt_minus1[0] from the referenced Sequence Parameter Set. This allows a crafted H.265 video file or stream to cause writes beyond the bounds of stack-allocated 32-element CPB delay arrays. The flaw is present in versions prior to GStreamer 1.28.3 [1][2].

Exploitation

An attacker needs to deliver a specially crafted H.265 video file or stream to a target system that uses a vulnerable version of GStreamer to decode it. No authentication or privileged network position is required if the user opens the file via any application leveraging GStreamer (e.g., media players, transcoders). The parser processes the buffering period SEI message from the bitstream, and the incorrect loop bound triggers an out-of-bounds write on the stack [1][2].

Impact

Successful exploitation causes a stack buffer overflow, resulting in a crash due to memory corruption. Under specific conditions, an attacker may be able to control the overflow data to corrupt adjacent stack memory, potentially leading to arbitrary code execution. The primary outcome is denial of service, with the possibility of more severe integrity or confidentiality impacts [1][2].

Mitigation

The vulnerability is fixed in GStreamer version 1.28.3, released 2026-06-10, via merge request !11334 (commit 48c11b7b01). Users should update to this version or later. For systems that cannot be immediately patched, avoid decoding untrusted H.265 media files or streams, and restrict access to applications that use the vulnerable library. No workaround within the library itself is available. The vulnerability is not known to be listed in CISA KEV as of publication [2].