{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2920", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-02-20T22:26:46.339Z", "datePublished": "2026-03-13T20:38:27.802Z", "dateUpdated": "2026-03-18T03:55:37.859Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-03-13T20:38:27.802Z"}, "title": "GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability", "descriptions": [{"lang": "en", "value": "GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the processing of stream headers within ASF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28843."}], "affected": [{"vendor": "GStreamer", "product": "GStreamer", "versions": [{"version": "1c6e163aa33962f5ee4a87d29319ccdd5cb67612", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-164/", "name": "ZDI-26-164", "tags": ["x_research-advisory"]}, {"url": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/37d7991168a223d0810fd1f4493ec6a8b6a510d3", "name": "vendor-provided URL", "tags": ["vendor-advisory"]}], "dateAssigned": "2026-02-20T22:26:46.412Z", "datePublic": "2026-03-06T21:20:58.769Z", "source": {"lang": "en", "value": "Anonymous"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-2920"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T03:55:37.859Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2920", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T20:23:45.493748Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:23:53.849Z"}}], "cna": {"title": "GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability", "source": {"lang": "en", "value": "Anonymous"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "GStreamer", "product": "GStreamer", "versions": [{"status": "affected", "version": "1c6e163aa33962f5ee4a87d29319ccdd5cb67612"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-06T21:20:58.769Z", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-164/", "name": "ZDI-26-164", "tags": ["x_research-advisory"]}, {"url": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/37d7991168a223d0810fd1f4493ec6a8b6a510d3", "name": "vendor-provided URL", "tags": ["vendor-advisory"]}], "dateAssigned": "2026-02-20T22:26:46.412Z", "descriptions": [{"lang": "en", "value": "GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the processing of stream headers within ASF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28843."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-03-13T20:38:27.802Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2920", "state": "PUBLISHED", "dateUpdated": "2026-03-18T03:55:37.859Z", "dateReserved": "2026-02-20T22:26:46.339Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2026-03-13T20:38:27.802Z", "assignerShortName": "zdi"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*", "matchCriteriaId": "1F1B75B8-0527-487E-8F53-A658F7A1E7A5", "versionEndExcluding": "1.28.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the processing of stream headers within ASF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28843."}], "id": "CVE-2026-2920", "lastModified": "2026-03-17T18:58:45.980", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:31.637", "references": [{"source": "zdi-disclosures@trendmicro.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/37d7991168a223d0810fd1f4493ec6a8b6a510d3"}, {"source": "zdi-disclosures@trendmicro.com", "tags": ["Third Party Advisory"], "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-164/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}]}

{"bugzilla": {"description": "GStreamer: GStreamer: Arbitrary code execution via ASF file processing", "id": "2447490", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447490"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-120", "details": ["A flaw was found in GStreamer. This heap-based buffer overflow vulnerability in the ASF Demuxer component allows a remote attacker to execute arbitrary code. The issue arises from insufficient validation of user-supplied data length when processing stream headers within ASF (Advanced Systems Format) files, leading to data being copied to a fixed-length heap-based buffer without proper bounds checking. Successful exploitation can result in arbitrary code execution in the context of the current process."], "mitigation": {"lang": "en:us", "value": "Avoid processing untrusted ASF (Advanced Systems Format) media files. This vulnerability in the GStreamer ASF Demuxer requires user interaction, such as opening a malicious ASF file, to trigger the heap-based buffer overflow. Limiting exposure to untrusted media content can reduce the attack surface."}, "name": "CVE-2026-2920", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "gstreamer1", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "gstreamer", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "gstreamer", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "gstreamer1", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "gstreamer1", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "mingw-gstreamer1", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "gstreamer1", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-13T20:38:27Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-2920\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-2920\nhttps://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/37d7991168a223d0810fd1f4493ec6a8b6a510d3\nhttps://www.zerodayinitiative.com/advisories/ZDI-26-164/"], "statement": "This is an IMPORTANT heap-based buffer overflow vulnerability in the GStreamer ASF Demuxer. The flaw allows remote code execution when processing specially crafted ASF files due to improper validation of stream header lengths. Red Hat products utilizing GStreamer for multimedia processing are affected if they handle untrusted ASF content.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "1c6e163aa33962f5ee4a87d29319ccdd5cb67612"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "GStreamer", "source": "cna", "vendor": "GStreamer"}, "product": "gstreamer", "vendor": "gstreamer"}], "analysis": {"en": {"generated_at": "2026-03-17T21:07:01.700778+00:00", "value": {"mitigation_remediation": ["Check for and apply the latest GStreamer patch that addresses the ASF demuxer buffer overflow.", "If a patch is unavailable, disable or bypass the ASF demuxer in affected applications or reject malformed ASF files.", "Monitor incoming ASF files for anomalous header lengths and log any attempts to process oversized headers.", "Keep the GStreamer library and its dependencies up to date to receive future security fixes.", "Notify security teams of any suspicious ASF-related activity and maintain visibility into potential exploitation attempts."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is GStreamer, as identified by the CPE cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. Affected vendors and products list only GStreamer (Key detail from known CNA vendors/products). No specific affected version information is provided in the known CNA affected version data (Key detail from known CNA affected version: not available). Therefore, all GStreamer installations that parse ASF files are potentially vulnerable unless mitigated by a patch or runtime restriction.", "description_and_impact": "Key detail from CVE description: GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. The flaw exists in the processing of ASF stream headers, where user-supplied data is copied into a fixed-length heap buffer without proper length validation (Key detail from vendor commit: The specific flaw exists within the processing of stream headers within ASF files). This results in a heap-based buffer overflow (CWE-120, CWE-122) that allows an attacker to execute arbitrary code in the context of the current process (Key detail from CVE description: An attacker can leverage this vulnerability to execute code). The primary impact is that a malicious actor can gain code execution privileges on any system that uses the vulnerable GStreamer library to process ASF files.", "risk_and_exploitability": "Key detail from scoring data: CVSS score 7.8 indicates a high severity, and EPSS score <1% suggests a low current exploitation probability (Key detail from scoring data: EPSS Score: < 1%). The vulnerability is not listed in the CISA KEV catalog (Key detail from scoring data: KEV: not listed). The likely attack vector is remote exploitation via a crafted ASF file delivered over network or local ingestion; this inference is based on the requirement for interaction with the library (Key detail from CVE description). An attacker could supply a malformed ASF header to trigger the heap overflow and gain code execution. Since no official workaround is listed, monitoring input traffic and applying a patch are the primary defensive measures."}}}}, "created": "2026-03-16T09:23:37.435341+00:00", "updated": "2026-03-23T13:39:45.484460+00:00", "vendors": ["gstreamer", "gstreamer$PRODUCT$gstreamer"]}