This security update addresses four critical vulnerabilities in GStreamer multimedia framework plugins, including heap-based buffer overflows and an integer overflow, which can lead to remote code execution when processing malicious JPEG, RTP, or AVI files. The CVSS scores for the specified CVEs range from 7.8 to 8.8. The vulnerabilities affect GStreamer versions prior to 1.28.1, and the fix requires upgrading to version 1.28.1.
Red Hat Product Errata RHSA-2026:8876 - Security Advisory Issued: 2026-04-20 Updated: 2026-04-20 RHSA-2026:8876 - Security Advisory Overview Updated Packages Synopsis Important: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for multiple packages is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer. Security Fix(es): GStreamer: GStreamer: Remote Code Execution via heap-based buffer overflow in JPEG parser (CVE-2026-3082) GStreamer: GStreamer: Remote Code Execution via Heap-based Buffer Overflow in rtpqdm2depay (CVE-2026-3085) GStreamer: GStreamer: Arbitrary code execution via RIFF palette integer overflow in AVI file handling (CVE-2026-2921) GStreamer: GStreamer: Remote Code Execution via Out-Of-Bounds Write in rtpqdm2depay (CVE-2026-3083) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x Fixes BZ - 2447492 - CVE-2026-3082 GStreamer: GStreamer: Remote Code Execution via heap-based buffer overflow in JPEG parser BZ - 2447495 - CVE-2026-3085 GStreamer: GStreamer: Remote Code Execution via Heap-based Buffer Overflow in rtpqdm2depay BZ - 2447496 - CVE-2026-2921 GStreamer: GStreamer: Arbitrary code execution via RIFF palette integer overflow in AVI file handling BZ - 2447498 - CVE-2026-3083 GStreamer: GStreamer: Remote Code Execution via Out-Of-Bounds Write in rtpqdm2depay CVEs CVE-2026-2921 CVE-2026-3082 CVE-2026-3083 CVE-2026-3085 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 SRPM gstreamer1-plugins-bad-free-1.18.4-8.el9_0.src.rpm SHA-256: 367347153fbd2381d2850adc15be7c2a6d70e42cb101bb10d77508105ffc16b4 gstreamer1-plugins-base-1.18.4-8.el9_0.src.rpm SHA-256: b0d451d0b5cc46b0faf9a6f94176c06028c178027286af9397e99abb9beb5dea gstreamer1-plugins-good-1.18.4-7.el9_0.src.rpm SHA-256: 2f8bb73f7e68c2ef6e5c972e3156197090cc91a7771cb3361ddeb5ea4819b4fc ppc64le gstreamer1-plugins-bad-free-1.18.4-8.el9_0.ppc64le.rpm SHA-256: f1e38f9c2a4deaa7b43b423935812a7554b000f2a695bd974cf36787dcfb2478 gstreamer1-plugins-bad-free-debuginfo-1.18.4-8.el9_0.ppc64le.rpm SHA-256: 5344cf747ebb6a4f48ac4ddce891cfee92b396529053d3b9e143d537724a3594 gstreamer1-plugins-bad-free-debugsource-1.18.4-8.el9_0.ppc64le.rpm SHA-256: 85138270d2e08100e71ab23b35d98587b584ff28412af9057f352ef13baca1bb gstreamer1-plugins-base-1.18.4-8.el9_0.ppc64le.rpm SHA-256: b77463ff6108568d243a25fef7154ba57902734215ddedb25e2bd00322d3d23e gstreamer1-plugins-base-debuginfo-1.18.4-8.el9_0.ppc64le.rpm SHA-256: fd5a325f10d053b5f43a9aebab54595c6cebf803594d7ef41c1c6a50c386921a gstreamer1-plugins-base-debugsource-1.18.4-8.el9_0.ppc64le.rpm SHA-256: 4e70543b035f73ae8200d5d78e502617310292604ad0e49245d948d0d6fef57b gstreamer1-plugins-base-devel-1.18.4-8.el9_0.ppc64le.rpm SHA-256: 5c3030d48a1b0941c2b3acbaa082a85bc1b0f6463e9c0d70e3216f9f367423d0 gstreamer1-plugins-base-tools-debuginfo-1.18.4-8.el9_0.ppc64le.rpm SHA-256: 6b7999ebe74c3ccd0f63e61b480beb7798bca7d7ec4fbbaf93d0aea1281f741e gstreamer1-plugins-good-1.18.4-7.el9_0.ppc64le.rpm SHA-256: 55d72f90b929e9309163658eb18b267d0e97d1f05107897da5a7748e2b888001 gstreamer1-plugins-good-debuginfo-1.18.4-7.el9_0.ppc64le.rpm SHA-256: 8c7e7a206c98a984cf4154fb352d9255af831cac3819a1aadd11762c69e1cfe0 gstreamer1-plugins-good-debugsource-1.18.4-7.el9_0.ppc64le.rpm SHA-256: e75f428a69a438ca423d5dd88553caf4755fc7dfd157bf7f8f10ba444787fbe0 gstreamer1-plugins-good-gtk-1.18.4-7.el9_0.ppc64le.rpm SHA-256: 9d2003996f73a2be29d21d1795263d75575948c6cb2c254b9bfb89293f912adc gstreamer1-plugins-good-gtk-debuginfo-1.18.4-7.el9_0.ppc64le.rpm SHA-256: 625a3c7c988b7c445563954be6089d50758c57b58b0f528a1bc384eb0f9bf39a gstreamer1-plugins-good-qt-debuginfo-1.18.4-7.el9_0.ppc64le.rpm SHA-256: ff77aa8240085713092e7bec0d718c4b785a9200b50b6c4e3902da04bfa71747 Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 SRPM gstreamer1-plugins-bad-free-1.18.4-8.el9_0.src.rpm SHA-256: 367347153fbd2381d2850adc15be7c2a6d70e42cb101bb10d77508105ffc16b4 gstreamer1-plugins-base-1.18.4-8.el9_0.src.rpm SHA-256: b0d451d0b5cc46b0faf9a6f94176c06028c178027286af9397e99abb9beb5dea gstreamer1-plugins-good-1.18.4-7.el9_0.src.rpm SHA-256: 2f8bb73f7e68c2ef6e5c972e3156197090cc91a7771cb3361ddeb5ea4819b4fc x86_64 gstreamer1-plugins-bad-free-1.18.4-8.el9_0.i686.rpm SHA-256: a02c5fad9b6d1dda63c7c580c12ae4ccd448337de77df5d678b06d930d6ab039 gstreamer1-plugins-bad-free-1.18.4-8.el9_0.x86_64.rpm SHA-256: 610e97d77c5f5b8d50c28d7305d2736c4597e8a4c4ccc22980705af2cdb816ee gstreamer1-plugins-bad-free-debuginfo-1.18.4-8.el9_0.i686.rpm SHA-256: 440e8f8d99fa1c70a5e94e13482673351091795870d0a54c24e33b6e60d52a08 gstreamer1-plugins-bad-free-debuginfo-1.18.4-8.el9_0.x86_64.rpm SHA-256: 78f24bf2db805a58f53869345ca00ed026d1d5d975fc75406063b5f4a5db12da gstreamer1-plugins-bad-free-debugsource-1.18.4-8.el9_0.i686.rpm SHA-256: c9d90c2f89adae7dd56600708257c64ea27bb48d7eaeb70a8615e17d670e6e75 gstreamer1-plugins-bad-free-debugsource-1.18.4-8.el9_0.x86_64.rpm SHA-256: 831a029fbbf27f16bbc29a5ee4863cad6a65f4ef8fd91dc46ce33c2463899c66 gstreamer1-plugins-base-1.18.4-8.el9_0.i686.rpm SHA-256: 504488cdbd09ba5663deee5edba1f6bbc354ceab12754440cd212f7548675857 gstreamer1-plugins-base-1.18.4-8.el9_0.x86_64.rpm SHA-256: 9aaf7cb2ed8bd8ad37b1f42b40850d65d1988c8c75eff22a0c2bed3e720ea493 gstreamer1-plugins-base-debuginfo-1.18.4-8.el9_0.i686.rpm SHA-256: fe3ebcb9927971301562d60bb690ecfc60d762168aea7c3f9e7b73b5a0439a3d gstreamer1-plugins-base-debuginfo-1.18.4-8.el9_0.x86_64.rpm SHA-256: 64fe0becff5872347cbeb70d08331bdec289b8a95340fc2d21194721fbfe0054 gstreamer1-plugins-base-debugsource-1.18.4-8.el9_0.i686.rpm SHA-256: eb6487131e036d83adfccf5e0cab58c0bd9fd1c3ba9a1c70d20c3faadd3804d7 gstreamer1-plugins-base-debugsource-1.18.4-8.el9_0.x86_64.rpm SHA-256: 882eb6d3f5f882c2299dadd5a8e2a67109ed9ccdd321c9aab3ee051188b0e4c0 gstreamer1-plugins-base-devel-1.18.4-8.el9_0.i686.rpm SHA-256: 2ba0ec41527c0bf8ec5eed31895fd9b9f6d30c7e9089a6d5f4ff9ddb0319fefd gstreamer1-plugins-base-devel-1.18.4-8.el9_0.x86_64.rpm SHA-256: f30faab6165d4e8d119b2e8a7f0a15f65a5ff35a6fcbfd4b6734f0a94d7cf2dd gstreamer1-plugins-base-tools-debuginfo-1.18.4-8.el9_0.i686.rpm SHA-256: 79fe2ed483a15708cd0132bd4c8ce6d5fd921f9ad1359b889f830f5199863f8f gstreamer1-plugins-base-tools-debuginfo-1.18.4-8.el9_0.x86_64.rpm SHA-256: b396b17666ceae0da3c1168b221172546723dae33f36fe0b379ee16ea09c6ff3 gstreamer1-plugins-good-1.18.4-7.el9_0.i686.rpm SHA-256: 6739c9143ceace8669ccf69a60b5d38cd6b639481a25109d681c47ad67067e9e gstreamer1-plugins-good-1.18.4-7.el9_0.x86_64.rpm SHA-256: 29c29132e8a1de24ab17279022b6b880e8d9bdd20c08db1d3a2af94c2d9a62b6 gstreamer1-plugins-good-debuginfo-1.18.4-7.el9_0.i686.rpm SHA-256: 3c0af8fd2c83753ae20b2db0ec4635421a63d0693be5827f0aa2649ccdf45f3d gstreamer1-plugins-good-debuginfo-1.18.4-7.el9_0.x86_64.rpm SHA-256: 7e3347ff9c57eef9aef29b61b08b14f4b95ace37c4cad29cb7c23c8a03badd92 gstreamer1-plugins-good-debugsource-1.18.4-7.el9_0.i686.rpm SHA-256: 0473efe54ad9827805c93d23decf6da98c8622720a248979c160dd46e65cdce6 gstreamer1-plugins-good-debugsource-1.18.4-7.el9_0.x86_64.rpm SHA-256: af04574b730fdb5a89b078043099e4357f28239d034bfe245d91b01d87921363 gstreamer1-plugins-good-gtk-1.18.4-7.el9_0.i686.rpm SHA-256: 47aaede6ac78ca1d6308a643035f555961af2bee3c6961271f5764d7e1f3d8c8 gstreamer1-plugins-good-gtk-1.18.4-7.el9_0.x86_64.rpm SHA-256: 4fad17674137f84a8004497912f22afc35aec7df38be322d0ba1fc83f34cf849 gstreamer1-plugins-good-gtk-debuginfo-1.18.4-7.el9_0.i686.rpm SHA-256: b0e849224ca6c566f8f47876b237cbf5a49354282bc8d8fe05f38b218a51d05e gstreamer1-plugins-good-gtk-debuginfo-1.18.4-7.el9_0.x86_64.rpm SHA-256: edb315babf88806c5e76acd081a9952a1ab9231aec4cd39b89023b1ccb9dee26 gstreamer1-plugins-good-qt-debuginfo-1.18.4-7.el9_0.i686.rpm SHA-256: 82352da0b6c631e872a6102fa98371cce035da93eec6b473c6d3be4405367660 gstreamer1-plugins-good-qt-debuginfo-1.18.4-7.el9_0.x86_64.rpm SHA-256: bc3c445e1fae5a9625f3b18378fcce52ba01edea703c5af419aeb224f148f4df Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 SRPM gstreamer1-plugins-bad-free-1.18.4-8.el9_0.src.rpm SHA-256: 367347153fbd2381d2850adc15be7c2a6d70e42cb101bb10d77508105ffc16b4 gstreamer1-plugins-base-1.18.4-8.el9_0.src.rpm SHA-256: b0d451d0b5cc46b0faf9a6f94176c06028c178027286af9397e99abb9beb5dea gstreamer1-plugins-good-1.18.4-7.el9_0.src.rpm SHA-256: 2f8bb73f7e68c2ef6e5c972e3156197090cc91a7771cb3361ddeb5ea4819b4fc aarch64 gstreamer1-plugins-bad-free-1.18.4-8.el9_0.aarch64.rpm SHA-256: 59f2a99c2801b61ad6d32ec5a452bd614e892aa79de32d91482de1b4605cdd14 gstreamer1-plugins-bad-free-debuginf