CVE-2026-2922: Critical Out-of-Bounds Write in GStreamer RealMedia Demuxer Enables Remote Code Execution
ZDI discloses CVE-2026-2922, a critical out-of-bounds write vulnerability in GStreamer's RealMedia Demuxer that allows remote code execution via crafted video packets, with a CVSS score of 7.8.
On March 6, 2026, the Zero Day Initiative (ZDI) disclosed a critical vulnerability in GStreamer, the widely used open-source multimedia framework. Tracked as CVE-2026-2922 and assigned a CVSS score of 7.8, the flaw resides in the RealMedia Demuxer component and allows remote attackers to execute arbitrary code on affected installations. The vulnerability, reported to GStreamer on February 11, 2026, was patched in a commit released prior to the advisory.
The specific flaw lies in how GStreamer processes video packets within the RealMedia Demuxer. The issue stems from insufficient validation of user-supplied data, which can result in a write past the end of an allocated buffer — a classic out-of-bounds write. An attacker can exploit this by crafting a malicious video file that, when processed by an application using GStreamer, triggers the buffer overflow and enables code execution in the context of the current process.
GStreamer is a cornerstone of Linux multimedia handling, used by desktop environments, media players, video editors, and streaming services across Linux, Windows, macOS, Android, and iOS. The RealMedia format, while less common today, is still supported for legacy content, and any application that uses GStreamer to parse RealMedia files is potentially vulnerable. The attack vector requires user interaction — such as opening a malicious file or streaming crafted content — but the impact is severe, with full compromise of confidentiality, integrity, and availability.
GStreamer has addressed the vulnerability in a commit available on GitLab: 88df8d2cd063b95a076e8041b47f778a4402f363. Users and distributors are strongly advised to update their GStreamer packages to the latest version. Linux distributions such as Ubuntu, Debian, Fedora, and Arch Linux are expected to backport the fix into their stable repositories. No evidence of active exploitation has been reported as of the advisory date.
The disclosure follows a coordinated timeline: the vulnerability was reported to GStreamer on February 11, 2026, and the advisory was released on March 6, 2026, after a patch was made available. The credit for the discovery goes to an anonymous researcher. This incident highlights the ongoing risk posed by memory corruption vulnerabilities in media parsing libraries, which have historically been a rich target for attackers due to the complexity of handling diverse file formats.
CVE-2026-2922 is a reminder of the importance of rigorous input validation in multimedia frameworks. As GStreamer continues to be integrated into countless applications, the security community and vendors must remain vigilant in auditing and patching such components. Users should prioritize updating their GStreamer installations to mitigate the risk of remote code execution attacks.