In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_trak function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure.

Description

Affected Products

Vendor	Product	Versions
gstreamer	gstreamer	< 1.26.2

References

https://github.com/atredispartners/advisories/blob/master/2025/ATREDIS-2025-0003.md(Exploit, Third Party Advisory)
https://gstreamer.freedesktop.org/security/(Vendor Advisory)

Related News (1 articles)

Tier B

BSI Advisories2h ago

[UPDATE] [mittel] Oracle Java SE: Mehrere Schwachstellen

→ No new info (linked only)

CVSS 3.18.1 HIGH

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available1.26.2

CWECWE-125

PublishedAug 7, 2025

Last enriched4d ago

Trending Score27

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-3086

GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Inter

Trending: 25

HIGHCVE-2026-3083

GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction

Trending: 25

HIGHCVE-2026-3085

GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Inte

Trending: 25

HIGHCVE-2026-3082

GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Inter

Trending: 25

HIGHCVE-2026-3084

GStreamer H.266 Codec Parser Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interac

Trending: 25

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Aug 7, 2025

Patch Available

Mar 17, 2026

Discovered by ZDM

Mar 26, 2026