CVE-2026-46470

EUVD-2026-30350
An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate atom data before performing division operations, leading to denial of service due to integer division by zero.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Affected Products (NVD)
VendorProductVersion
freedesktopgst-plugins-good
𝑥
< 1.28.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gst-plugins-good1.0
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
1.28.4-1
fixed
sid
1.28.4-1
fixed
trixie
vulnerable
trixie (security)
1.26.2-1+deb13u2
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
gstreamer1-plugins-good
Amazon Linux 2
0:1.18.4-6.amzn2.0.11
fixed
Amazon Linux 2023
0:1.24.10-1.amzn2023.0.6
fixed
gstreamer1-plugins-good-debuginfo
Amazon Linux 2
0:1.18.4-6.amzn2.0.11
fixed
Amazon Linux 2023
0:1.24.10-1.amzn2023.0.6
fixed
gstreamer1-plugins-good-debugsource
Amazon Linux 2023
0:1.24.10-1.amzn2023.0.6
fixed
gstreamer1-plugins-good-gtk
Amazon Linux 2
0:1.18.4-6.amzn2.0.11
fixed
Amazon Linux 2023
0:1.24.10-1.amzn2023.0.6
fixed
gstreamer1-plugins-good-gtk-debuginfo
Amazon Linux 2023
0:1.24.10-1.amzn2023.0.6
fixed
Common Weakness Enumeration
References
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11243.patch
https://gstreamer.freedesktop.org/security/sa-2026-0018.html