#1130059 gstreamer1.0-plugins-bad: Multiple security vulnerabilities fixed upstream (possible RCE)

Package:
gstreamer1.0-plugins-bad
Source:
gstreamer1.0-plugins-bad
Description:
GStreamer plugins from the "bad" set
Submitter:
Ulises Antonio Sámano Galván
Date:
2026-03-11 04:51:01 UTC
Severity:
normal
Tags:
#1130059#5
Date:
2026-03-08 04:06:44 UTC
From:
To:
Dear Maintainer, the version of gstreamer1.0-plugins-bad currently shipped in
Debian appears to be affected by multiple security vulnerabilities that have
already been fixed in upstream releases.

The following CVEs were addressed in upstream version 1.28.1:

- ZDI-CAN-28840 - It might be possible for a malicious third party to trigger a
crash in the application, and possibly also effect code execution through heap
manipulation.
- ZDI-CAN-28838 - It is possible for a malicious third party to trigger out-of-
bounds reads and writes to heap memory, which can result in a crash of the
application.
- ZDI-CAN-28911 - It is possible for a malicious third party to trigger a
buffer overflow that can result in a crash of the application and possibly also
allow code execution through stack manipulation.
- ZDI-CAN-28839 - A stack overflow in the H.266 video bitstream parser when
parsing pic_timing SEIs can cause crashes for certain input files, and could
possibly also allow code execution through stack manipulation.
- ZDI-CAN-28910 - An out-of-bound write in the H.266 video bitstream parser
when parsing picture partitions can cause crashes for certain input files, and
could possibly also allow code execution through heap manipulation.
- GStreamer-SA-2026-0012 - A missing bounds check in the H.265 video parser
could cause a crash for certain malformed input files through memory
exhaustion.

References:

https://gstreamer.freedesktop.org/releases/1.28/#1.28.1
https://gstreamer.freedesktop.org/security/

Patches:

ZDI-CAN-28840 -
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10885.patch
ZDI-CAN-28838 -
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10884.patch
ZDI-CAN-28911 -
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10888.patch
ZDI-CAN-28839 -
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10889.patch
ZDI-CAN-28910 -
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10887.patch
GStreamer-SA-2026-0012 -
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10902.patch

#1130059#10
Date:
2026-03-10 11:48:33 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
gst-plugins-bad1.0, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1130059@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marc Leeman <marc.leeman@gmail.com> (supplier of updated gst-plugins-bad1.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 10 Mar 2026 10:53:38 +0100
Source: gst-plugins-bad1.0
Architecture: source
Version: 1.28.1-2
Distribution: unstable
Urgency: medium
Maintainer: Maintainers of GStreamer packages <gst-plugins-bad1.0@packages.debian.org>
Changed-By: Marc Leeman <marc.leeman@gmail.com>
Closes: 1130059
Changes:
 gst-plugins-bad1.0 (1.28.1-2) unstable; urgency=medium
 .
   * Revert "Build the ONNX neural network plugin"
   * Overdue closing of security bug with release of new upstream 1.28.1
     (Closes: #1130059)
Checksums-Sha1:
 70da06d08afc62f441389af2af2af5ddb31fd298 6404 gst-plugins-bad1.0_1.28.1-2.dsc
 84785a049aaeca3b96594b632d4bbc4d860fa0d4 47844 gst-plugins-bad1.0_1.28.1-2.debian.tar.xz
 43bb920e118f461518ab6ff79fd15d803064df40 35875 gst-plugins-bad1.0_1.28.1-2_source.buildinfo
Checksums-Sha256:
 ca9230e9d0adc821f9e8a756a027d2690b16f3b89172f5c06c2e5ee7d4f97324 6404 gst-plugins-bad1.0_1.28.1-2.dsc
 582a39ae8c435f8753661ec610be703cdf9165a51ae4ec27899e20e05f621a92 47844 gst-plugins-bad1.0_1.28.1-2.debian.tar.xz
 aad59cf930ce5a369200dd0916ef0631b4e785cfe8153477d4fde391cea7ecda 35875 gst-plugins-bad1.0_1.28.1-2_source.buildinfo
Files:
 c7c94f85a735e9e470ffa9ee979d2898 6404 libs optional gst-plugins-bad1.0_1.28.1-2.dsc
 d8f5b431c80441a2f73d0c1f19fa311e 47844 libs optional gst-plugins-bad1.0_1.28.1-2.debian.tar.xz
 f8117f50d338b1120b53854bff70b662 35875 libs optional gst-plugins-bad1.0_1.28.1-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJKBAEBCgA0FiEEgnz9dLpGgVKgQfOgempPF1mVplsFAmmwAA8WHG1hcmMubGVl
bWFuQGdtYWlsLmNvbQAKCRB6ak8XWZWmW8SbD/9IWKP/QkLzeLzXvCr4Avz899Uh
AL7vTsrHXY+hRrOfJGn5rdPeKvcF8vyAguMRUmFGmE8pZw7MS8LnOmPRYFoo9ipf
eOPTBCyy+PgU/XvWKfXWujYd6arX+o6rQ6Yppe5x5VqMBlMgvneSo3n8FlMGNkI+
1aMm4sn7l1JAyIFspCPVSQWchvOuc3NcPR7AuyDwWc70yRKb/2dskHjiQi4baFRi
1gX7/ChJG38fcPnmDldJFLprrMwLYBx6Rck/z3gftuj7yngRFUDo+EKsG7TJ2VcM
rrAHsM1N6lsqpsWTM/lL+tkZAbweCoCEb3rUtt8USSno8ID/m/0T7STna3dExRF5
18AoHLvKOKV+WKiqVz7YKpvZyNQC3qvwYv5VT1iFmg1ehccFtA5ilmxVjaQxO6Lr
kEx4snaY1sASg8JiVLMwsJwSowwCGxFA+MiC1juDD0WW4V7W9Oow1tTUZI0HUCYO
qXfWLFWrEHrG8Eh5kIXo++IHFgR5Em8R9tdLlZDkb4bdhhqTvamWCfDNhoayWDmg
4a4w69TEfb8nqzuo1GESSQEqAE27jsz2f1tUWH7n0CJzMxhUqtLTA1oCaPQ6H/oI
CdvVClg+t9wdu9lbicGhVrrQj8V5U129vzsv45K02W+hk7tNVskVlQI6SCJYYqfj
XsFoW0fyvkox869XUw==
=SZ08
-----END PGP SIGNATURE-----