Logo
Retour à la veille

CVE-2026-12892

Publié : 23 juin 2026
Modifié : 24 juin 2026
Lien officiel NVD
Score CVSS
4.4
MEDIUM

Description détaillée

A flaw was found in GStreamer's gst-plugins-bad package. When processing a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units, a 1-byte heap out-of-bounds read can occur during parsing. This happens when the parser attempts to check slice boundary information without first verifying that the NAL unit contains enough data beyond the extension header. An attacker could exploit this by tricking a user into opening a malicious H.264 video file, potentially causing the application to crash or leak a single byte of heap memory.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

Références et Patchs

https://access.redhat.com/security/cve/CVE-2026-12892https://bugzilla.redhat.com/show_bug.cgi?id=2491321https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5108

Dernières Vulnérabilités

CVE-2026-9155

OS Command Injection vulnerability in Rapid7 InsightConnect Sed Plugin on Linux allows authenticated attackers to execute arbitrary OS commands via the expression parameter due to insufficient input validation.

VOIR DÉTAILS

CVE-2026-9154

Arbitrary File Write vulnerability in Rapid7 InsightConnect Sed Plugin on Linux allows authenticated attackers to write attacker-controlled content to arbitrary file paths via the expression parameter.

VOIR DÉTAILS

CVE-2026-9153

Arbitrary File Read vulnerability in Rapid7 InsightConnect Sed Plugin on Linux allows authenticated attackers to read arbitrary files via the expression parameter due to insufficient input validation.

VOIR DÉTAILS