CVE-2026-53704

Vulnerability

A flaw exists in the RealMedia demuxer (rmdemux) within the gst-plugins-ugly package of GStreamer. When processing a specially crafted RealMedia file containing a FILEINFO metadata section, the function gst_rmdemux_parse_mdpr() parses variable-name and variable-value pairs using re_skip_pascal_string() without validating that the resulting offsets remain within the mapped buffer [1][2]. The element count (element_nb) controlling the parsing loop is read from attacker-controlled data without validation, and a value of 0xFFFFFFFF (stored as a signed integer) can cause an infinite loop [2]. No specific version range is provided, but the code is present in all versions using the vulnerable rmdemux implementation.

Exploitation

An attacker must deliver a crafted RealMedia file (e.g., via a website, email attachment, or media stream) to a user or application that uses GStreamer to parse it. No authentication or special privileges are required. The attacker controls the element_nb value and the offsets within the FILEINFO section. The parsing loop iterates while element_nb is non-zero; with 0xFFFFFFFF, the counter wraps and the loop continues indefinitely [2]. re_skip_pascal_string() advances the offset by reading a length byte without checking if the length exceeds the buffer, leading to an out-of-bounds read [1][2].

Impact

Successful exploitation can cause the application using GStreamer to crash or hang due to the infinite loop, leading to denial of service. Additionally, the out-of-bounds read may disclose limited adjacent memory contents [1][2]. The vulnerability does not directly allow arbitrary code execution, but information disclosure could assist in chaining with other bugs. The impact is limited to denial of service and potential memory read leak.

Mitigation

As of the publication date (2026-06-15), no official fix is available. Upstream recommends a rewrite of the RealMedia demuxer, which is not yet released [2]. Users are advised to avoid processing untrusted RealMedia files with GStreamer until a patched version is provided. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.