An integer overflow vulnerability (CVE-2026-2921, CVSS 7.8) exists in the RIFF parser of the GStreamer gst-plugins-base1.0 package, which can lead to denial of service or arbitrary code execution when processing a malformed media file. The NVD lists gstreamer versions prior to 1.28.1 as affected. The fixed version is 1.28.1, and Debian-specific patches have been issued for its oldstable and stable distributions.
[SECURITY] [DSA 6167-1] gst-plugins-base1.0 security update To : debian-security-announce@lists.debian.org Subject : [SECURITY] [DSA 6167-1] gst-plugins-base1.0 security update From : Moritz Muehlenhoff < jmm@debian.org > Date : Tue, 17 Mar 2026 20:05:28 +0000 Message-id : < [🔎] abm0CAlu21h4cRQX@seger.debian.org > Reply-to : debian-security-announce-request@lists.debian.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6167-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 17, 2026 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gst-plugins-base1.0 CVE ID : CVE-2026-2921 An integer overflow was discovered in the RIFF parser of the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For the oldstable distribution (bookworm), this problem has been fixed in version 1.22.0-3+deb12u6. For the stable distribution (trixie), this problem has been fixed in version 1.26.2-1+deb13u1. We recommend that you upgrade your gst-plugins-base1.0 packages. For the detailed security status of gst-plugins-base1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-plugins-base1.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmm5s9YACgkQEMKTtsN8 Tjb27g//fFsoYbeFsQHjsnNNEZFFg37Z2l/YkZnhge9VRLjnkbMafIAaO02bCPnn uLu4+CXUDoGSNF91qaww4i0G6CKYio7lqtjOe678AM9s+u/G2LOvOJaROPvmsXmc YGjK+p/itiaYTGRwqAKocMOjWvlFsw5c742A3Hj8ZCtbJ8tFFocFe0s+r6shBs9S Z6FcAKS9qzakV5ZOHqQ7i7MjjzBp3NHYZi+wUndJ3aMIW0RxJnIWtgjNayGxH18d gL7Gat258OVUOM/vBZ8N02bUWzPJeS3Adxi3iLNiCkaGzhvfppdu1DbWURF0vwIm XRSh50cNrJ+zySp2Ouqmqxv8PHBXeeGok85iZQs/7wWSacv7HhyeblHESJDb3veR yNewGGA2qpDoXEmtPaIg4j1DyBjMgyaVzgACN60T6zpCx1q0+Ziylx0GX/AEKfsY OLnzzSQh6BUXLwx7SXVc0Qr9auu6R7PVfWxHaIzQ3ZL9TuQKssDGArLzUcp1ncZl xD9Oo73uddyvwryWoFn+/gGI6K647SEAN1zX1QYlyTs9g0jejYaZf78jR7CsegEr h0IQde0jJ7sFnzNfSDRl1v8Xh20vz8Hfl6ydNIoZdHlrsOnOj0G535WFLG/UyfwU d3mg58uRBM5gxnwmoX6jAy9maQFvNt36hMHlIuudIINfUIv+kss= =QzHl -----END PGP SIGNATURE----- Reply to: debian-security-announce@lists.debian.org Moritz Muehlenhoff (on-list) Moritz Muehlenhoff (off-list) Prev by Date: [SECURITY] [DSA 6166-1] nodejs security update Previous by thread: [SECURITY] [DSA 6166-1] nodejs security update Index(es): Date Thread