CVE-2026-2921 (GCVE-0-2026-2921)

Vulnerability from cvelistv5 – Published: 2026-03-13 20:41 – Updated: 2026-03-29 12:09
VLAI?
Title
GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability
Summary
GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of palette data in AVI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28854.
Severity ?
7.8 (High)
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
  • CWE-190 - Integer Overflow or Wraparound
Assigner
zdi
References
Impacted products
Vendor Product Version
GStreamer GStreamer Affected: 1c6e163aa33962f5ee4a87d29319ccdd5cb67612
Create a notification for this product.
Date Public ?
2026-03-06 21:21
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2921",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-17T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-18T03:55:40.080Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-29T12:09:12.529Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2026/03/msg00018.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "GStreamer",
          "vendor": "GStreamer",
          "versions": [
            {
              "status": "affected",
              "version": "1c6e163aa33962f5ee4a87d29319ccdd5cb67612"
            }
          ]
        }
      ],
      "dateAssigned": "2026-02-20T22:26:53.782Z",
      "datePublic": "2026-03-06T21:21:19.344Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the handling of palette data in AVI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28854."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190: Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-13T20:41:50.780Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-26-168",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-168/"
        },
        {
          "name": "vendor-provided URL",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e3a99c35266fc92dd6a18ac5fde028d0cda559e6"
        }
      ],
      "source": {
        "lang": "en",
        "value": "Anonymous"
      },
      "title": "GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2026-2921",
    "datePublished": "2026-03-13T20:41:50.780Z",
    "dateReserved": "2026-02-20T22:26:53.743Z",
    "dateUpdated": "2026-03-29T12:09:12.529Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-2921\",\"sourceIdentifier\":\"zdi-disclosures@trendmicro.com\",\"published\":\"2026-03-16T14:19:32.730\",\"lastModified\":\"2026-03-29T13:16:59.450\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\\n\\nThe specific flaw exists within the handling of palette data in AVI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28854.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo por desbordamiento de entero en la paleta RIFF de GStreamer. Esta vulnerabilidad permite a atacantes remotos ejecutar c\u00f3digo arbitrario en instalaciones afectadas de GStreamer. Se requiere interacci\u00f3n con esta biblioteca para explotar esta vulnerabilidad, pero los vectores de ataque pueden variar dependiendo de la implementaci\u00f3n.\\n\\nLa falla espec\u00edfica existe en el manejo de datos de paleta en archivos AVI. El problema resulta de la falta de validaci\u00f3n adecuada de los datos proporcionados por el usuario, lo que puede resultar en un desbordamiento de entero antes de escribir en la memoria. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del proceso actual. Fue ZDI-CAN-28854.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"zdi-disclosures@trendmicro.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"zdi-disclosures@trendmicro.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-190\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.28.1\",\"matchCriteriaId\":\"1F1B75B8-0527-487E-8F53-A658F7A1E7A5\"}]}]}],\"references\":[{\"url\":\"https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e3a99c35266fc92dd6a18ac5fde028d0cda559e6\",\"source\":\"zdi-disclosures@trendmicro.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.zerodayinitiative.com/advisories/ZDI-26-168/\",\"source\":\"zdi-disclosures@trendmicro.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2026/03/msg00018.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2026/03/msg00018.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-03-29T12:09:12.529Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-2921\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-16T15:26:01.092634Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-16T15:31:49.511Z\"}}], \"cna\": {\"title\": \"GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability\", \"source\": {\"lang\": \"en\", \"value\": \"Anonymous\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\"}}], \"affected\": [{\"vendor\": \"GStreamer\", \"product\": \"GStreamer\", \"versions\": [{\"status\": \"affected\", \"version\": \"1c6e163aa33962f5ee4a87d29319ccdd5cb67612\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2026-03-06T21:21:19.344Z\", \"references\": [{\"url\": \"https://www.zerodayinitiative.com/advisories/ZDI-26-168/\", \"name\": \"ZDI-26-168\", \"tags\": [\"x_research-advisory\"]}, {\"url\": \"https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e3a99c35266fc92dd6a18ac5fde028d0cda559e6\", \"name\": \"vendor-provided URL\", \"tags\": [\"vendor-advisory\"]}], \"dateAssigned\": \"2026-02-20T22:26:53.782Z\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\\n\\nThe specific flaw exists within the handling of palette data in AVI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28854.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-190\", \"description\": \"CWE-190: Integer Overflow or Wraparound\"}]}], \"providerMetadata\": {\"orgId\": \"99f1926a-a320-47d8-bbb5-42feb611262e\", \"shortName\": \"zdi\", \"dateUpdated\": \"2026-03-13T20:41:50.780Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-2921\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-29T12:09:12.529Z\", \"dateReserved\": \"2026-02-20T22:26:53.743Z\", \"assignerOrgId\": \"99f1926a-a320-47d8-bbb5-42feb611262e\", \"datePublished\": \"2026-03-13T20:41:50.780Z\", \"assignerShortName\": \"zdi\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.