CVE-2026-1940

EUVD-2026-14551
An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_ROUND_UP_2(lsize) used in the actual offset calculation. When lsize is an odd number, the parser advances more bytes than validated, causing OOB read.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.1 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Affected Products (NVD)
VendorProductVersion
freedesktopgst-plugins-good
1.0.0
gstreamergstreamer
𝑥
< 1.28.1
debiandebian_linux
11.0
debiandebian_linux
12.0
redhatenterprise_linux
7.0
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
redhatenterprise_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gst-plugins-good1.0
bookworm
no-dsa
bookworm (security)
vulnerable
bullseye
postponed
bullseye (security)
vulnerable
forky
1.28.2-4
fixed
sid
1.28.2-4
fixed
trixie
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gst-plugins-bad1.0
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
not-affected
trusty
needs-triage
xenial
needs-triage
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://access.redhat.com/security/cve/CVE-2026-1940
https://bugzilla.redhat.com/show_bug.cgi?id=2436932
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4854
https://gstreamer.freedesktop.org/security/sa-2026-0001.html
https://security-tracker.debian.org/tracker/CVE-2026-1940