{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/gstreamer-rfbsrc-plugin/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-59691"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GStreamer rfbsrc plugin","gstreamer1-plugins-bad-free","gstreamer-plugins-bad-free"],"_cs_severities":["high"],"_cs_tags":["vulnerability","heap-overflow","denial-of-service","gstreamer","linux","red-hat","cve"],"_cs_type":"advisory","_cs_vendors":["GStreamer","Red Hat"],"content_html":"\u003cp\u003eA critical heap buffer overflow vulnerability, identified as CVE-2026-59691, has been discovered in the \u003ccode\u003erfbsrc\u003c/code\u003e plugin of GStreamer, an open-source multimedia framework. This flaw allows a remote, unauthenticated attacker to cause a denial of service (DoS) and potentially memory corruption in affected client applications. The vulnerability is triggered when a client application, configured to use the \u003ccode\u003erfbsrc\u003c/code\u003e plugin, connects to a specially crafted, malicious RFB/VNC server. The malicious server advertises a 16 bits per pixel (bpp) framebuffer and subsequently sends Hextile-encoded updates containing 32-bit pixel values. Due to a type mismatch, GStreamer's \u003ccode\u003eHextile background fill path\u003c/code\u003e attempts to write these 32-bit values into a buffer explicitly allocated for 16-bit pixels, leading to an out-of-bounds heap write. This immediately results in a crash of the client application, making it unavailable. This vulnerability affects systems using GStreamer, specifically several versions of Red Hat Enterprise Linux including RHEL 6, 7, 8, 9, and 10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sets up and operates a malicious RFB/VNC server.\u003c/li\u003e\n\u003cli\u003eA legitimate client application, utilizing GStreamer's \u003ccode\u003erfbsrc\u003c/code\u003e plugin, is induced (e.g., via social engineering or compromised legitimate server redirection) to connect to the attacker's malicious RFB/VNC server.\u003c/li\u003e\n\u003cli\u003eUpon connection, the malicious server advertises a 16 bits per pixel (16bpp) framebuffer configuration to the connecting client.\u003c/li\u003e\n\u003cli\u003eThe malicious server then sends specially crafted Hextile-encoded updates to the client.\u003c/li\u003e\n\u003cli\u003eThe GStreamer \u003ccode\u003erfbsrc\u003c/code\u003e plugin processes these updates, and its \u003ccode\u003eHextile background fill path\u003c/code\u003e attempts to handle the pixel data.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erfbsrc\u003c/code\u003e plugin writes 32-bit pixel values from the Hextile updates into a memory buffer that was incorrectly allocated for 16-bit pixels due to the advertised framebuffer configuration.\u003c/li\u003e\n\u003cli\u003eThis type mismatch results in an out-of-bounds heap write, corrupting memory outside the intended buffer.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds write leads to an immediate crash of the client application, resulting in a denial of service. Potential memory corruption may also occur, which could theoretically be leveraged for further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-59691 leads to the crash of any client application utilizing the vulnerable GStreamer \u003ccode\u003erfbsrc\u003c/code\u003e plugin when connecting to a malicious RFB/VNC server. This results in a complete denial of service for the affected application, making it unusable. While the primary impact is a crash, the out-of-bounds write can also lead to memory corruption, which could potentially be leveraged by an attacker to achieve more severe consequences, such as arbitrary code execution, though this is not explicitly confirmed by the source. This vulnerability directly impacts systems running Red Hat Enterprise Linux 6, 7, 8, 9, and 10, affecting the stability of applications relying on GStreamer for VNC connectivity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-59691 by updating GStreamer packages (specifically \u003ccode\u003egstreamer1-plugins-bad-free\u003c/code\u003e and \u003ccode\u003egstreamer-plugins-bad-free\u003c/code\u003e) on all affected Red Hat Enterprise Linux systems to the versions provided by Red Hat.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and strict outbound firewall rules to limit client workstation connections to only trusted and legitimate RFB/VNC servers, thereby minimizing exposure to malicious servers that could exploit CVE-2026-59691.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T11:21:23Z","date_published":"2026-07-09T11:21:23Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59691-gstreamer-rfbsrc-overflow/","summary":"A heap buffer overflow vulnerability (CVE-2026-59691) exists in GStreamer's rfbsrc plugin, allowing a malicious RFB/VNC server to trigger an out-of-bounds heap write in connecting clients, leading to denial of service and potential memory corruption.","title":"CVE-2026-59691: GStreamer rfbsrc Heap Buffer Overflow Leads to DoS","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59691-gstreamer-rfbsrc-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed - GStreamer Rfbsrc Plugin","version":"https://jsonfeed.org/version/1.1"}