{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/gstreamer1-plugins-bad-free/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-59692"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["DTLS plugin","gstreamer1-plugins-bad-free","gstreamer-plugins-bad-free"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","buffer-overflow","vulnerability","dtls","gstreamer","linux","high_confidence_source","watchlist_match"],"_cs_type":"advisory","_cs_vendors":["GStreamer","Red Hat"],"content_html":"\u003cp\u003eA significant denial-of-service vulnerability, CVE-2026-59692, has been identified in the DTLS plugin of GStreamer, a multimedia framework. This flaw allows a remote, unauthenticated attacker to crash any application or service utilizing the vulnerable plugin during a DTLS handshake. The vulnerability stems from a stack buffer overflow where the peer certificate's Subject Distinguished Name (DN) is copied into a fixed 2048-byte stack buffer without proper bounds checking. By presenting a specially crafted certificate containing an excessively long Subject DN, attackers can overwrite adjacent memory on the stack, leading to an immediate process crash and service interruption. This issue was publicly disclosed on July 9, 2026, and primarily impacts systems running GStreamer with the DTLS plugin, including various versions of Red Hat Enterprise Linux. This vulnerability is critical for defenders as it enables complete service disruption without requiring authentication or complex attack vectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA remote unauthenticated attacker identifies a system or application using GStreamer with the vulnerable DTLS plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DTLS peer certificate where the Subject Distinguished Name (DN) field is intentionally oversized, exceeding 2048 bytes.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a DTLS handshake with the targeted vulnerable system or application.\u003c/li\u003e\n\u003cli\u003eDuring the handshake process, the GStreamer DTLS plugin receives the attacker's crafted certificate.\u003c/li\u003e\n\u003cli\u003eThe plugin attempts to print the oversized Subject DN from the certificate into a fixed-size 2048-byte stack buffer.\u003c/li\u003e\n\u003cli\u003eDue to the absence of bounds checking, the oversized Subject DN overflows the allocated stack buffer.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow corrupts adjacent memory on the stack, leading to a critical program error.\u003c/li\u003e\n\u003cli\u003eThe vulnerable process crashes, resulting in a denial-of-service condition for the affected application or system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-59692 leads directly to a denial-of-service (DoS) condition. Any application or service relying on the vulnerable GStreamer DTLS plugin will crash upon receiving a specially crafted DTLS handshake from an attacker. This can significantly disrupt critical services, leading to operational downtime, financial losses, and reputational damage. While specific victim counts or targeted sectors are not detailed, any organization leveraging GStreamer for multimedia streaming with DTLS capabilities is potentially at risk, including those running Red Hat Enterprise Linux distributions. The unauthenticated and remote nature of the attack makes it a severe threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching CVE-2026-59692 on all affected GStreamer DTLS plugin installations to prevent denial-of-service.\u003c/li\u003e\n\u003cli\u003eReview the referenced merge request at \u003ccode\u003ehttps://gitlab.freedesktop.org/gstreamer/gstreamer-security/-/merge_requests/99\u003c/code\u003e for official patch details and apply immediately.\u003c/li\u003e\n\u003cli\u003eConsult Red Hat's security advisory at \u003ccode\u003ehttps://access.redhat.com/security/cve/CVE-2026-59692\u003c/code\u003e for specific updates related to Red Hat Enterprise Linux versions.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unexpected crashes or restarts of services utilizing the GStreamer DTLS plugin, which could indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T11:22:12Z","date_published":"2026-07-09T11:22:12Z","id":"https://feed.craftedsignal.io/briefs/2026-07-gstreamer-dtls-dos/","summary":"A stack buffer overflow vulnerability, CVE-2026-59692, exists in GStreamer's DTLS plugin, allowing a remote unauthenticated attacker to cause a denial of service by sending a crafted certificate with an oversized Subject Distinguished Name during a DTLS handshake, which the plugin prints into a fixed-size stack buffer without bounds checking, leading to a process crash.","title":"CVE-2026-59692: GStreamer DTLS Plugin Stack Buffer Overflow Leading to DoS","url":"https://feed.craftedsignal.io/briefs/2026-07-gstreamer-dtls-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-59691"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GStreamer rfbsrc plugin","gstreamer1-plugins-bad-free","gstreamer-plugins-bad-free"],"_cs_severities":["high"],"_cs_tags":["vulnerability","heap-overflow","denial-of-service","gstreamer","linux","red-hat","cve"],"_cs_type":"advisory","_cs_vendors":["GStreamer","Red Hat"],"content_html":"\u003cp\u003eA critical heap buffer overflow vulnerability, identified as CVE-2026-59691, has been discovered in the \u003ccode\u003erfbsrc\u003c/code\u003e plugin of GStreamer, an open-source multimedia framework. This flaw allows a remote, unauthenticated attacker to cause a denial of service (DoS) and potentially memory corruption in affected client applications. The vulnerability is triggered when a client application, configured to use the \u003ccode\u003erfbsrc\u003c/code\u003e plugin, connects to a specially crafted, malicious RFB/VNC server. The malicious server advertises a 16 bits per pixel (bpp) framebuffer and subsequently sends Hextile-encoded updates containing 32-bit pixel values. Due to a type mismatch, GStreamer's \u003ccode\u003eHextile background fill path\u003c/code\u003e attempts to write these 32-bit values into a buffer explicitly allocated for 16-bit pixels, leading to an out-of-bounds heap write. This immediately results in a crash of the client application, making it unavailable. This vulnerability affects systems using GStreamer, specifically several versions of Red Hat Enterprise Linux including RHEL 6, 7, 8, 9, and 10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sets up and operates a malicious RFB/VNC server.\u003c/li\u003e\n\u003cli\u003eA legitimate client application, utilizing GStreamer's \u003ccode\u003erfbsrc\u003c/code\u003e plugin, is induced (e.g., via social engineering or compromised legitimate server redirection) to connect to the attacker's malicious RFB/VNC server.\u003c/li\u003e\n\u003cli\u003eUpon connection, the malicious server advertises a 16 bits per pixel (16bpp) framebuffer configuration to the connecting client.\u003c/li\u003e\n\u003cli\u003eThe malicious server then sends specially crafted Hextile-encoded updates to the client.\u003c/li\u003e\n\u003cli\u003eThe GStreamer \u003ccode\u003erfbsrc\u003c/code\u003e plugin processes these updates, and its \u003ccode\u003eHextile background fill path\u003c/code\u003e attempts to handle the pixel data.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erfbsrc\u003c/code\u003e plugin writes 32-bit pixel values from the Hextile updates into a memory buffer that was incorrectly allocated for 16-bit pixels due to the advertised framebuffer configuration.\u003c/li\u003e\n\u003cli\u003eThis type mismatch results in an out-of-bounds heap write, corrupting memory outside the intended buffer.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds write leads to an immediate crash of the client application, resulting in a denial of service. Potential memory corruption may also occur, which could theoretically be leveraged for further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-59691 leads to the crash of any client application utilizing the vulnerable GStreamer \u003ccode\u003erfbsrc\u003c/code\u003e plugin when connecting to a malicious RFB/VNC server. This results in a complete denial of service for the affected application, making it unusable. While the primary impact is a crash, the out-of-bounds write can also lead to memory corruption, which could potentially be leveraged by an attacker to achieve more severe consequences, such as arbitrary code execution, though this is not explicitly confirmed by the source. This vulnerability directly impacts systems running Red Hat Enterprise Linux 6, 7, 8, 9, and 10, affecting the stability of applications relying on GStreamer for VNC connectivity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-59691 by updating GStreamer packages (specifically \u003ccode\u003egstreamer1-plugins-bad-free\u003c/code\u003e and \u003ccode\u003egstreamer-plugins-bad-free\u003c/code\u003e) on all affected Red Hat Enterprise Linux systems to the versions provided by Red Hat.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and strict outbound firewall rules to limit client workstation connections to only trusted and legitimate RFB/VNC servers, thereby minimizing exposure to malicious servers that could exploit CVE-2026-59691.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T11:21:23Z","date_published":"2026-07-09T11:21:23Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59691-gstreamer-rfbsrc-overflow/","summary":"A heap buffer overflow vulnerability (CVE-2026-59691) exists in GStreamer's rfbsrc plugin, allowing a malicious RFB/VNC server to trigger an out-of-bounds heap write in connecting clients, leading to denial of service and potential memory corruption.","title":"CVE-2026-59691: GStreamer rfbsrc Heap Buffer Overflow Leads to DoS","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59691-gstreamer-rfbsrc-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed - Gstreamer1-Plugins-Bad-Free","version":"https://jsonfeed.org/version/1.1"}