CVE-2026-3086: Critical GStreamer H.266 Codec Parser Flaw Enables Remote Code Execution
A critical out-of-bounds write vulnerability in GStreamer's H.266 codec parser (CVE-2026-3086) can be exploited for remote code execution, with a CVSS score of 7.8.
A critical vulnerability in GStreamer's H.266 codec parser, tracked as CVE-2026-3086 and reported via ZDI-26-170, allows remote attackers to execute arbitrary code on affected installations. The flaw resides in the processing of APS (Adaptation Parameter Set) units, where improper validation of user-supplied data can lead to a write past the end of an allocated buffer. Exploitation requires user interaction, but attack vectors may vary depending on the implementation.
The vulnerability was reported to GStreamer on February 11, 2026, and a coordinated public advisory was released on March 6, 2026. GStreamer has issued a fix via commit 025d59cf3459c2903f0384b6b94bc3235e177b53, which is available in the project's GitLab repository. Users are strongly advised to update their GStreamer installations to the patched version.
GStreamer is a widely used multimedia framework that powers media playback in many Linux distributions, embedded systems, and applications. The H.266 codec (Versatile Video Coding) is the latest video compression standard, and its parser is a critical component for handling media streams. An attacker could craft a malicious media file or stream that, when processed by an application using GStreamer, triggers the out-of-bounds write and achieves code execution in the context of the current process.
The CVSS score for this vulnerability is 7.8 (High), with the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access required but low attack complexity and no privileges needed. The requirement for user interaction (e.g., opening a malicious file) somewhat reduces the risk of widespread automated exploitation, but the potential impact on confidentiality, integrity, and availability is high.
This vulnerability highlights the ongoing challenges in securing complex multimedia parsers, which have historically been a rich source of memory corruption bugs. The GStreamer project has been proactive in addressing security issues, but users must ensure timely patching to mitigate risks. Organizations using GStreamer in media servers, video players, or streaming applications should prioritize applying the fix.
The disclosure timeline shows a relatively short window between reporting and public release, indicating coordinated effort between the reporter and vendor. The credit for the discovery goes to an anonymous researcher. As with many ZDI advisories, this vulnerability was likely discovered through responsible disclosure and may have been part of a broader research effort.