This security update addresses four critical vulnerabilities in GStreamer multimedia framework plugins, including remote code execution via heap-based buffer overflows in the JPEG parser (CVE-2026-3082, CVSS 7.8) and the rtpqdm2depay element (CVE-2026-3085, CVSS 8.8), as well as arbitrary code execution via an integer overflow in AVI file handling (CVE-2026-2921, CVSS 7.8). The affected software includes gstreamer versions prior to 1.28.1. The fix is to upgrade the gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good packages to the patched versions provided in the advisory.
Red Hat Product Errata RHSA-2026:9488 - Security Advisory Issued: 2026-04-21 Updated: 2026-04-21 RHSA-2026:9488 - Security Advisory Overview Updated Packages Synopsis Important: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for multiple packages is now available for Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions and Red Hat Enterprise Linux 8.8 Telecommunications Update Service. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer. Security Fix(es): GStreamer: GStreamer: Remote Code Execution via heap-based buffer overflow in JPEG parser (CVE-2026-3082) GStreamer: GStreamer: Remote Code Execution via Heap-based Buffer Overflow in rtpqdm2depay (CVE-2026-3085) GStreamer: GStreamer: Arbitrary code execution via RIFF palette integer overflow in AVI file handling (CVE-2026-2921) GStreamer: GStreamer: Remote Code Execution via Out-Of-Bounds Write in rtpqdm2depay (CVE-2026-3083) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.8 x86_64 Red Hat Enterprise Linux Server - TUS 8.8 x86_64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64 Fixes BZ - 2447492 - CVE-2026-3082 GStreamer: GStreamer: Remote Code Execution via heap-based buffer overflow in JPEG parser BZ - 2447495 - CVE-2026-3085 GStreamer: GStreamer: Remote Code Execution via Heap-based Buffer Overflow in rtpqdm2depay BZ - 2447496 - CVE-2026-2921 GStreamer: GStreamer: Arbitrary code execution via RIFF palette integer overflow in AVI file handling BZ - 2447498 - CVE-2026-3083 GStreamer: GStreamer: Remote Code Execution via Out-Of-Bounds Write in rtpqdm2depay CVEs CVE-2026-2921 CVE-2026-3082 CVE-2026-3083 CVE-2026-3085 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.8 SRPM gstreamer1-plugins-bad-free-1.16.1-4.el8_8.src.rpm SHA-256: 257a9559d4965a2e8d3f2cb3d6e71b5296f19a38d12fb5af02b85488523973d2 gstreamer1-plugins-base-1.16.1-4.el8_8.src.rpm SHA-256: 3ee6754ad037691872f2fd57a997ad0a0538a25c996595ac5a9916466d94f271 gstreamer1-plugins-good-1.16.1-5.el8_8.src.rpm SHA-256: 36364ff62c08e80bdc48c4369b76d8f41f3838d7abd74d00a965eb306e08c9c1 x86_64 gstreamer1-plugins-bad-free-1.16.1-4.el8_8.i686.rpm SHA-256: 8fdbeadcaceba5fad3bf420681b5a8158d16af6f06454f8f1b0369e265606c16 gstreamer1-plugins-bad-free-1.16.1-4.el8_8.x86_64.rpm SHA-256: cb9f3e049d4f2f6cd735da1db3d9956c8a78432fcc1b12cb1c996c2b2c231685 gstreamer1-plugins-bad-free-debuginfo-1.16.1-4.el8_8.i686.rpm SHA-256: d91283b90c2b4e28e49918d7aa0253f8026c938cbb33a5e16aaa60489fde61a4 gstreamer1-plugins-bad-free-debuginfo-1.16.1-4.el8_8.x86_64.rpm SHA-256: 3fd11289c8129b41ecce7fa828de281d2f4af6e87e0ae199b31a7b15034de131 gstreamer1-plugins-bad-free-debugsource-1.16.1-4.el8_8.i686.rpm SHA-256: 7c1de0d22b7a4119254dbdcf3b9031c61de25d257de800923c9eea6795cc2fdc gstreamer1-plugins-bad-free-debugsource-1.16.1-4.el8_8.x86_64.rpm SHA-256: 1dbc6659effe90f73cfe837c936bc09c873bc409f5ed50379f854df327a653bf gstreamer1-plugins-base-1.16.1-4.el8_8.i686.rpm SHA-256: 3eeaa4098625986474e1bfce4b1bd206267c4ed210133519e420f81a7af9e425 gstreamer1-plugins-base-1.16.1-4.el8_8.x86_64.rpm SHA-256: 36b9b5ea8b5db2c4eaaefef963796871531e411846c191fa562f08ceb5ddab9d gstreamer1-plugins-base-debuginfo-1.16.1-4.el8_8.i686.rpm SHA-256: aa5125659f2ff89ef558122588b0e04d70933233aa6c9615f4a0e09417ebab15 gstreamer1-plugins-base-debuginfo-1.16.1-4.el8_8.x86_64.rpm SHA-256: eef65d97f851222359c634bc68d32883bd826db915eb483c55b74e2ccb4f0871 gstreamer1-plugins-base-debugsource-1.16.1-4.el8_8.i686.rpm SHA-256: 5037c4d809db49729aa6265955292d20e7a705610e8a87bdfd4b3eefc16ab000 gstreamer1-plugins-base-debugsource-1.16.1-4.el8_8.x86_64.rpm SHA-256: 190e934fcff8544b8ecd3b57b0c7c2023c75e1d39fbe2d21a6d59f74010fae2e gstreamer1-plugins-base-devel-1.16.1-4.el8_8.i686.rpm SHA-256: 3ba3f636312b626490ed8f050ebac9069941e52ff8dcab4d3efd7d1619b79275 gstreamer1-plugins-base-devel-1.16.1-4.el8_8.x86_64.rpm SHA-256: 05420bcacc0a9c8934c15d9ca62f80b14e45f3dab05739df374626399e6da7c8 gstreamer1-plugins-base-tools-debuginfo-1.16.1-4.el8_8.i686.rpm SHA-256: 55dc8b1a15efb18054d19e827326496890dcb0f9155cbff47d1600e3611f3c7d gstreamer1-plugins-base-tools-debuginfo-1.16.1-4.el8_8.x86_64.rpm SHA-256: 87b88c66258696c79aefddb66fba86056f078b266985f946cb5973ea5248f4d6 gstreamer1-plugins-good-1.16.1-5.el8_8.i686.rpm SHA-256: a719825b1625c35606df707c6259797d2d84bb588b3b92922607363394d59ee0 gstreamer1-plugins-good-1.16.1-5.el8_8.x86_64.rpm SHA-256: 16748ce005bd021e8a274a25db4c4058c73f707db5c9b15e412ed11d23f55ea0 gstreamer1-plugins-good-debuginfo-1.16.1-5.el8_8.i686.rpm SHA-256: 4162d4a593ffe7f978d6952c4a3c1dbd868bd76efebd73a65476c8e74bc42855 gstreamer1-plugins-good-debuginfo-1.16.1-5.el8_8.x86_64.rpm SHA-256: f3d28366a3ab4c04e18cb9186f58824dbb6a110860ae7ccda0227f47cdf9cc1d gstreamer1-plugins-good-debugsource-1.16.1-5.el8_8.i686.rpm SHA-256: 45ef009bbcb50925fd29d24d2cb842ebcbc9eeff04b3fab55379ca031a276f19 gstreamer1-plugins-good-debugsource-1.16.1-5.el8_8.x86_64.rpm SHA-256: 7186694f5e4d65860eb13f0df75aa8ad90c67c503b67097f5de38c18978ff0a9 gstreamer1-plugins-good-gtk-1.16.1-5.el8_8.i686.rpm SHA-256: 6f4711a6ea16937ae97565edee79f1f71322de8d32ebc0960b27a56d2d121892 gstreamer1-plugins-good-gtk-1.16.1-5.el8_8.x86_64.rpm SHA-256: 7222b0c8f87c25d2e61d269d32d137864402a740166249bbb7181ae9cc226a62 gstreamer1-plugins-good-gtk-debuginfo-1.16.1-5.el8_8.i686.rpm SHA-256: adf44d6e42aedf380ab94a2586eb4ceb4e121388a3a8761f401e397b070bbd5e gstreamer1-plugins-good-gtk-debuginfo-1.16.1-5.el8_8.x86_64.rpm SHA-256: f4c2e4b7bee321b367e0385bf04c89c0dc99ea67ac8ffbac15fc74333c14e890 Red Hat Enterprise Linux Server - TUS 8.8 SRPM gstreamer1-plugins-bad-free-1.16.1-4.el8_8.src.rpm SHA-256: 257a9559d4965a2e8d3f2cb3d6e71b5296f19a38d12fb5af02b85488523973d2 gstreamer1-plugins-base-1.16.1-4.el8_8.src.rpm SHA-256: 3ee6754ad037691872f2fd57a997ad0a0538a25c996595ac5a9916466d94f271 gstreamer1-plugins-good-1.16.1-5.el8_8.src.rpm SHA-256: 36364ff62c08e80bdc48c4369b76d8f41f3838d7abd74d00a965eb306e08c9c1 x86_64 gstreamer1-plugins-bad-free-1.16.1-4.el8_8.i686.rpm SHA-256: 8fdbeadcaceba5fad3bf420681b5a8158d16af6f06454f8f1b0369e265606c16 gstreamer1-plugins-bad-free-1.16.1-4.el8_8.x86_64.rpm SHA-256: cb9f3e049d4f2f6cd735da1db3d9956c8a78432fcc1b12cb1c996c2b2c231685 gstreamer1-plugins-bad-free-debuginfo-1.16.1-4.el8_8.i686.rpm SHA-256: d91283b90c2b4e28e49918d7aa0253f8026c938cbb33a5e16aaa60489fde61a4 gstreamer1-plugins-bad-free-debuginfo-1.16.1-4.el8_8.x86_64.rpm SHA-256: 3fd11289c8129b41ecce7fa828de281d2f4af6e87e0ae199b31a7b15034de131 gstreamer1-plugins-bad-free-debugsource-1.16.1-4.el8_8.i686.rpm SHA-256: 7c1de0d22b7a4119254dbdcf3b9031c61de25d257de800923c9eea6795cc2fdc gstreamer1-plugins-bad-free-debugsource-1.16.1-4.el8_8.x86_64.rpm SHA-256: 1dbc6659effe90f73cfe837c936bc09c873bc409f5ed50379f854df327a653bf gstreamer1-plugins-base-1.16.1-4.el8_8.i686.rpm SHA-256: 3eeaa4098625986474e1bfce4b1bd206267c4ed210133519e420f81a7af9e425 gstreamer1-plugins-base-1.16.1-4.el8_8.x86_64.rpm SHA-256: 36b9b5ea8b5db2c4eaaefef963796871531e411846c191fa562f08ceb5ddab9d gstreamer1-plugins-base-debuginfo-1.16.1-4.el8_8.i686.rpm SHA-256: aa5125659f2ff89ef558122588b0e04d70933233aa6c9615f4a0e09417ebab15 gstreamer1-plugins-base-debuginfo-1.16.1-4.el8_8.x86_64.rpm SHA-256: eef65d97f851222359c634bc68d32883bd826db915eb483c55b74e2ccb4f0871 gstreamer1-plugins-base-debugsource-1.16.1-4.el8_8.i686.rpm SHA-256: 5037c4d809db49729aa6265955292d20e7a705610e8a87bdfd4b3eefc16ab000 gstreamer1-plugins-base-debugsource-1.16.1-4.el8_8.x86_64.rpm SHA-256: 190e934fcff8544b8ecd3b57b0c7c2023c75e1d39fbe2d21a6d59f74010fae2e gstreamer1-plugins-base-devel-1.16.1-4.el8_8.i686.rpm SHA-256: 3ba3f636312b626490ed8f050ebac9069941e52ff8dcab4d3efd7d1619b79275 gstreamer1-plugins-base-devel-1.16.1-4.el8_8.x86_64.rpm SHA-256: 05420bcacc0a9c8934c15d9ca62f80b14e45f3dab05739df374626399e6da7c8 gstreamer1-plugins-base-tools-debuginfo-1.16.1-4.el8_8.i686.rpm SHA-256: 55dc8b1a15efb18054d19e827326496890dcb0f9155cbff47d1600e3611f3c7d gstreamer1-plugins-base-tools-debuginfo-1.16.1-4.el8_8.x86_64.rpm SHA-256: 87b88c66258696c79aefddb66fba86056f078b266985f946cb5973ea5248f4d6 gstreamer1-plugins-good-1.16.1-5.el8_8.i686.rpm SHA-256: a719825b1625c35606df707c6259797d2d84bb588b3b92922607363394d59ee0 gstreamer1-plugins-good-1.16.1-5.el8_8.x86_64.rpm SHA-256: 16748ce005bd021e8a274a25db4c4058c73f707db5c9b15e412ed11d23f55ea0 gstreamer1-plugins-good-debuginfo-1.16.1-5.el8_8.i686.rpm SHA-256: 4162d4a593ffe7f978d6952c4a3c1dbd868bd76efebd73a65476c8e74bc42855 gstreamer1-plugins-good-debuginfo-1.16.1-5.el8_8.x86_64.rpm SHA-256: f3d28366a3ab4c04e18cb9186f58824dbb6a110860ae7ccda0227f47cdf9cc1d gstreamer1-plugins-good-debugsource-1.16.1-5.el8_8.i686.rpm SHA-256: 45ef009bbcb50925fd29d24d2cb842ebcbc9eeff04