CVE-2026-12892
MediumCVSS 4.4Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
In the GStreamer library (gst-plugins-bad), processing a crafted H.264 video file with malformed MVC or SVC extension slice NAL units triggers a one-byte heap out-of-bounds read. The flaw occurs when the parser checks slice boundary information without verifying that the NAL unit contains enough data beyond the extension header.
Risk Assessment
An attacker can trick a user into opening a malicious H.264 video file, potentially causing the application to crash or leak a single byte of heap memory, which might expose sensitive information.
Recommendation
Immediately update the gst-plugins-bad package to a version containing the fix for CVE-2026-12892. Until updated, avoid opening untrusted H.264 files in applications using GStreamer.
Original NVD description (English source)
A flaw was found in GStreamer's gst-plugins-bad package. When processing a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units, a 1-byte heap out-of-bounds read can occur during parsing. This happens when the parser attempts to check slice boundary information without first verifying that the NAL unit contains enough data beyond the extension header. An attacker could exploit this by tricking a user into opening a malicious H.264 video file, potentially causing the application to crash or leak a single byte of heap memory.

