- What: Security update for gstreamer1-plugins
- Impact: Red Hat Enterprise Linux 10 systems affected
Red Hat Product Errata RHSA-2026:19024 - Security Advisory Issued: 2026-05-19 Updated: 2026-05-19 RHSA-2026:19024 - Security Advisory Overview Updated Packages Synopsis Important: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for multiple packages is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer. Security Fix(es): GStreamer: GStreamer: Arbitrary code execution via ASF file processing (CVE-2026-2920) GStreamer: GStreamer: Remote Code Execution via heap-based buffer overflow in JPEG parser (CVE-2026-3082) GStreamer: GStreamer: Remote Code Execution via Heap-based Buffer Overflow in rtpqdm2depay (CVE-2026-3085) GStreamer: GStreamer: Arbitrary code execution via RIFF palette integer overflow in AVI file handling (CVE-2026-2921) GStreamer: GStreamer: Remote Code Execution via Out-Of-Bounds Write in rtpqdm2depay (CVE-2026-3083) GStreamer: GStreamer: Remote Code Execution via out-of-bounds write in RealMedia Demuxer (CVE-2026-2922) GStreamer: GStreamer: Remote Code Execution via out-of-bounds write in DVB Subtitles handling (CVE-2026-2923) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 10 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 x86_64 Red Hat Enterprise Linux for IBM z Systems 10 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.2 s390x Red Hat Enterprise Linux for Power, little endian 10 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.2 ppc64le Red Hat Enterprise Linux for ARM 64 10 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.2 aarch64 Red Hat CodeReady Linux Builder for x86_64 10 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 10 ppc64le Red Hat CodeReady Linux Builder for ARM 64 10 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 10 s390x Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 10.2 x86_64 Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 10.2 ppc64le Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 10.2 s390x Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 10.2 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.2 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.2 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.2 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.2 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 10.2 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 10.2 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 10.2 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 10.2 s390x Fixes BZ - 2447490 - CVE-2026-2920 GStreamer: GStreamer: Arbitrary code execution via ASF file processing BZ - 2447492 - CVE-2026-3082 GStreamer: GStreamer: Remote Code Execution via heap-based buffer overflow in JPEG parser BZ - 2447495 - CVE-2026-3085 GStreamer: GStreamer: Remote Code Execution via Heap-based Buffer Overflow in rtpqdm2depay BZ - 2447496 - CVE-2026-2921 GStreamer: GStreamer: Arbitrary code execution via RIFF palette integer overflow in AVI file handling BZ - 2447498 - CVE-2026-3083 GStreamer: GStreamer: Remote Code Execution via Out-Of-Bounds Write in rtpqdm2depay BZ - 2447500 - CVE-2026-2922 GStreamer: GStreamer: Remote Code Execution via out-of-bounds write in RealMedia Demuxer BZ - 2447503 - CVE-2026-2923 GStreamer: GStreamer: Remote Code Execution via out-of-bounds write in DVB Subtitles handling CVEs CVE-2026-2920 CVE-2026-2921 CVE-2026-2922 CVE-2026-2923 CVE-2026-3082 CVE-2026-3083 CVE-2026-3085 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 10 SRPM gstreamer1-plugins-bad-free-1.26.7-2.el10_2.src.rpm SHA-256: 9073069e3a7ee67b52904df4316de00ec85ef4f93f87067aabe61f3d1442fa22 gstreamer1-plugins-base-1.26.7-2.el10_2.src.rpm SHA-256: b2e289fe6f03b6d8d7effada55333b28923017ad188185f5eaf2a45b120bb61a gstreamer1-plugins-good-1.26.7-2.el10_2.src.rpm SHA-256: b540cd156301c333450f8a87611419a75b3967c04257dfa7c62df26b92a450f0 gstreamer1-plugins-ugly-free-1.26.7-2.el10_2.src.rpm SHA-256: f80f87cd0e59741fbf83e9353c5797445abd8c71a885a2f55686737b3aafb20b x86_64 gstreamer1-plugins-bad-free-1.26.7-2.el10_2.x86_64.rpm SHA-256: 6d094f90bc796672ec786e191fc080d11d6ae0d9634171ee3fb03e5f03f3a5ea gstreamer1-plugins-bad-free-debuginfo-1.26.7-2.el10_2.x86_64.rpm SHA-256: 6a731e0e54171699eda2d0153f17689e36ca67bbc8555bccdd377a2e19b14d86 gstreamer1-plugins-bad-free-debugsource-1.26.7-2.el10_2.x86_64.rpm SHA-256: 846c67ae80812744112dcced5f6f75c80651a14587cb881dc940494f723dabff gstreamer1-plugins-bad-free-libs-1.26.7-2.el10_2.x86_64.rpm SHA-256: 5c1d65a48de3fc35bb5523e15b7a418be166610ac22994dd1c274d7339ab5577 gstreamer1-plugins-bad-free-libs-debuginfo-1.26.7-2.el10_2.x86_64.rpm SHA-256: 0522cc8a59273e596ad9645b36cbe4cb9dbd3ce158db823ac9f1056857f689b0 gstreamer1-plugins-base-1.26.7-2.el10_2.x86_64.rpm SHA-256: daec1e5229e0f8d90d921b0c0d68ba4b0de1609d838a6288f1aad45cd7b8478c gstreamer1-plugins-base-debuginfo-1.26.7-2.el10_2.x86_64.rpm SHA-256: a12d28dde8254a2d8bfa0af5c7ad779a688a68b1731ca32eb1d4bc5f7d417176 gstreamer1-plugins-base-debugsource-1.26.7-2.el10_2.x86_64.rpm SHA-256: 3bae30438fda2d500c7075a19d88f4b7431de8902f72b1560bba45a8c34d56cf gstreamer1-plugins-base-devel-1.26.7-2.el10_2.x86_64.rpm SHA-256: 0e2949e3ec9bf77e99cd75a4458ab755d9581ed0302b606a9044f63b1a2de8d5 gstreamer1-plugins-base-tools-1.26.7-2.el10_2.x86_64.rpm SHA-256: a950ef339e6d6221e5a5741072ec4fb4fe232ee4f86cf76e89af417a60ebf59c gstreamer1-plugins-base-tools-debuginfo-1.26.7-2.el10_2.x86_64.rpm SHA-256: dd2064420e0353ae005ae397452488c38e654c994cb17d173e95dea9b1ea45f9 gstreamer1-plugins-good-1.26.7-2.el10_2.x86_64.rpm SHA-256: 711aca90b9ef6dfdcd9032cf165e0a1520ad28ddb8fcb061983da15e7038c890 gstreamer1-plugins-good-debuginfo-1.26.7-2.el10_2.x86_64.rpm SHA-256: 5458aa09eb9ef97a5d6646b9e51b206ccbe118de68dd0a46dbec6777dc479826 gstreamer1-plugins-good-debugsource-1.26.7-2.el10_2.x86_64.rpm SHA-256: 929228796deae7006784cb9ca44d3f0a5fa36e52b5f0bd489ffe3e96ea8eb598 gstreamer1-plugins-good-gtk-1.26.7-2.el10_2.x86_64.rpm SHA-256: feca7cd7378e4578546d4cd079f02a771e71507c7bf6e0c27d945de82894341c gstreamer1-plugins-good-gtk-debuginfo-1.26.7-2.el10_2.x86_64.rpm SHA-256: f8b0d6230de48d1975ce0d56d971e297089cc852160fe9f325b9a13b489b1690 gstreamer1-plugins-good-qt6-debuginfo-1.26.7-2.el10_2.x86_64.rpm SHA-256: bf09fe7c6384eb8581fdf269a47c3ac082494ee96beda063bd1f03549b3b8fe0 gstreamer1-plugins-ugly-free-1.26.7-2.el10_2.x86_64.rpm SHA-256: bc7548411266d4c2e10e3b1bef69582a5861fe87604f41e35a33248f263efb0e gstreamer1-plugins-ugly-free-debuginfo-1.26.7-2.el10_2.x86_64.rpm SHA-256: db73325a62be1007ac6add1bbcfdf01f92d83fca6c5328107c08824a03e3ca55 gstreamer1-plugins-ugly-free-debugsource-1.26.7-2.el10_2.x86_64.rpm SHA-256: ac9285a990dc2292d3801e92c04d37472b506df21628f865e2b5006d756a59d4 Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.2 SRPM gstreamer1-plugins-bad-free-1.26.7-2.el10_2.src.rpm SHA-256: 9073069e3a7ee67b52904df4316de00ec85ef4f93f87067aabe61f3d1442fa22 gstreamer1-plugins-base-1.26.7-2.el10_2.src.rpm SHA-256: b2e289fe6f03b6d8d7effada55333b28923017ad188185f5eaf2a45b120bb61a gstreamer1-plugins-good-1.26.7-2.el10_2.src.rpm SHA-256: b540cd156301c333450f8a87611419a75b3967c04257dfa7c62df26b92a450f0 gstreamer1-plugins-ugly-free-1.26.7-2.el10_2.src.rpm SHA-256: f80f87cd0e59741fbf83e9353c5797445abd8c71a885a2f55686737b3aafb20b x86_64 gstreamer1-plugins-bad-free-1.26.7-2.el10_2.x86_64.rpm SHA-256: 6d094f90bc796672ec786e191fc080d11d6ae0d9634171ee3fb03e5f03f3a5ea gstreamer1-plugins-bad-free-debuginfo-1.26.7-2.el10_2.x86_64.rpm SHA-256: 6a731e0e54171699eda2d0153f17689e36ca67bbc8555bccdd377a2e19b14d86 gstreamer1-plugins-bad-free-debugsource-1.26.7-2.el10_2.x86_64.rpm SHA-256: 846c67ae80812744112dcced5f6f75c80651a14587cb881dc940494f723dabff gstreamer1-plugins-bad-free-libs-1.26.7-2.el10_2.x86_64.rpm SHA-256: 5c1d65a48de3fc35bb5523e15b7a418be166610ac22994dd1c274d7339ab5577 gstreamer1-plugins-bad-free-libs-debuginfo-1.26.7-2.el10_2.x86_64.rpm SHA-256: 0522cc8a59273e596ad9645b36cbe4cb9dbd3ce158db823ac9f1056857f689b0 gstreamer1-plugins-base-1.26.7-2.el10_2.x86_64.rpm SHA-256: daec1e5229e0f8d90d921b0c0d68ba4b0de1609d838a6288f1aad45cd7b8478c gstreamer1-plugins-base-debuginfo-1.26.7-2.el10_2.x86_64.rpm SHA-256: a12d28dde8254a2d8bfa0af5c7ad779a688a68b1731ca32eb1d4bc5f7d417176 gstreamer1-plugins-base-debugsource-1.26.7-2.el10_2.x86_64.rpm SHA-256: 3bae30438fda2d500c7075a19d88f4b7431de8902f72b1560bba45a8c34d56cf gstreamer1-plugins-base-devel-1.26.7-2.el10_2.x86_64.rpm SHA-256: 0e2949e3ec9bf77e99cd75a4458ab755d9581ed0302b606a9044f63b1a2de8d5 gstr