CVE-2026-2921: Integer Overflow in GStreamer's AVI Palette Handling Enables Remote Code Execution
A newly disclosed integer overflow vulnerability in GStreamer's handling of palette data in AVI files allows remote attackers to execute arbitrary code on affected systems.
A critical vulnerability in the GStreamer multimedia framework, tracked as CVE-2026-2921, has been disclosed by the Zero Day Initiative (ZDI-26-168). The flaw resides in GStreamer's handling of palette data within AVI (Audio Video Interleave) files. An integer overflow occurs when the library processes specially crafted palette data, leading to a write operation that can corrupt memory and enable remote code execution in the context of the current process.
The vulnerability, assigned a CVSS score of 7.8 (High), is classified as an integer overflow before a buffer write (CWE-680). The attack vector is local, meaning an attacker must convince a user to open a malicious AVI file or interact with a service that processes such files. However, the attack complexity is low, and no privileges are required. The impact is severe: successful exploitation could allow an attacker to take full control of the affected system, including the ability to install programs, view, change, or delete data, or create new accounts with full user rights.
GStreamer is a widely used open-source multimedia framework that underpins many Linux desktop environments, media players, and streaming applications. It is also integrated into various embedded systems and IoT devices. The vulnerability affects all installations of GStreamer that process AVI files with palette data, making the potential attack surface extensive. While the advisory does not report active exploitation in the wild, the public disclosure of the vulnerability and the availability of a patch increase the risk of attackers reverse-engineering the fix to develop exploits.
The GStreamer project has released a fix via commit e3a99c35266fc92dd6a18ac5fde028d0cda559e6, which is available in the official GStreamer GitLab repository. Users and system administrators are strongly advised to update their GStreamer installations to the latest patched version as soon as possible. Distributions that package GStreamer, such as major Linux distributions, are expected to release updated packages shortly.
The vulnerability was reported to GStreamer on February 11, 2026, and the coordinated public advisory was released on March 6, 2026. The discovery is credited to an anonymous researcher. This disclosure highlights the ongoing risks in multimedia processing libraries, where complex data parsing routines can introduce memory corruption vulnerabilities. As multimedia libraries are integrated into countless applications, from web browsers to video editors, the impact of such flaws can be far-reaching, emphasizing the need for rigorous input validation and timely patching.