CVE-2026-53705

Vulnerability

A flaw exists in GStreamer's WavPack audio decoder within the gst-plugins-good package. In the function gst_wavpack_dec_handle_frame(), the buffer size for decoded audio samples is calculated as 4 * block_samples * channels using 32-bit integer arithmetic [1]. If block_samples is set to 0x20000001 with stereo channels, the multiplication wraps to approximately 8 bytes, causing g_malloc() to allocate a tiny heap buffer. The WavPack library then calls WavpackUnpackSamples(), which writes decoded audio samples far beyond this undersized allocation, resulting in a heap buffer overflow [2]. The bug affects all versions prior to the fix in GStreamer 1.28.4. Both 32-bit and 64-bit systems are vulnerable because the overflow occurs before the result is promoted to size_t [2].

Exploitation

An attacker must craft a malicious WavPack file with a large block_samples value (e.g., 0x20000001) to trigger the integer overflow. The attacker then needs to convince a user (or an automated process) to open this file using any application that relies on GStreamer's WavPack decoder, such as a media player or a processing pipeline [1]. No authentication or special network access is required — the attack vector is local or remote via user interaction (e.g., opening a downloaded file) [1]. The overflow occurs during decoding, so no race condition or additional privileges are needed.

Impact

Successful exploitation leads to heap memory corruption. The attacker can cause the application to crash (denial of service) or potentially achieve arbitrary code execution with the privileges of the process hosting the GStreamer decoder [1]. The impact is high in terms of confidentiality, integrity, and availability, as reflected in the CVSS v3 score of 7.6 (High) [1].

Mitigation

A fix is pending in GStreamer 1.28.4; users should upgrade to that version or later once released [2]. If an immediate update is not possible, consider avoiding processing untrusted WavPack files, or use an alternative audio decoder library. There is no workaround within the codebase other than applying the patch. Red Hat has acknowledged the issue and is tracking it in Bugzilla [2]. No CISA KEV listing has been published as of the disclosure date.