{"id":"CVE-2026-2920","details":"GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the processing of stream headers within ASF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28843.","modified":"2026-04-17T13:29:25.729670177Z","published":"2026-03-16T14:19:31.637Z","related":["ALSA-2026:6259","ALSA-2026:6300","ALSA-2026:6750","SUSE-SU-2026:0998-1","SUSE-SU-2026:20915-1","openSUSE-SU-2026:20402-1"],"references":[{"type":"ADVISORY","url":"https://www.zerodayinitiative.com/advisories/ZDI-26-164/"},{"type":"FIX","url":"https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/37d7991168a223d0810fd1f4493ec6a8b6a510d3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gstreamer/gstreamer","events":[{"introduced":"0"},{"fixed":"dcb37e20147e3b59344bab1e1cbb57e908cc6b92"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.28.1"}]}},{"type":"GIT","repo":"https://gitlab.freedesktop.org/gstreamer/gstreamer","events":[{"introduced":"0"},{"fixed":"37d7991168a223d0810fd1f4493ec6a8b6a510d3"}]}],"versions":["1.0.0","1.0.1","1.0.2","1.1.1","1.1.2","1.1.3","1.1.4","1.1.90","1.10.0","1.11.0","1.11.1","1.11.2","1.11.90","1.11.91","1.12.0","1.13.1","1.13.90","1.13.91","1.14.0","1.15.1","1.15.2","1.15.90","1.16.0","1.17.1","1.17.2","1.17.90","1.18.0","1.19.1","1.19.2","1.19.3","1.19.90","1.2.0","1.20.0","1.21.1","1.21.2","1.21.3","1.21.90","1.22.0","1.23.1","1.23.2","1.23.90","1.24.0","1.25.1","1.25.50","1.25.90","1.26.0","1.27.1","1.27.2","1.27.50","1.27.90","1.28.0","1.3.1","1.3.2","1.3.3","1.3.90","1.3.91","1.4.0","1.5.1","1.5.2","1.5.90","1.5.91","1.6.0","1.7.1","1.7.2","1.7.90","1.7.91","1.8.0","1.9.1","1.9.2","1.9.90","BEFORE_INDENT","BRANCH-AUTOPLUG2-ROOT","BRANCH-BUILD1-200112061-ROOT","BRANCH-BUILD1-200112101-ROOT","BRANCH-BUILD1-20011216-FREEZE","BRANCH-BUILD1-ROOT","BRANCH-CAPSNEGO1-ROOT","BRANCH-ERROR-ROOT","BRANCH-EVENTS1-200110161-ROOT","BRANCH-EVENTS1-ROOT","BRANCH-EVENTS2-ROOT","BRANCH-GOBJECT1-200106241-ROOT","BRANCH-GOBJECT1-ROOT","BRANCH-GSTREAMER-0_6-ROOT","BRANCH-GSTREAMER-0_8-ROOT","BRANCH-INCSCHED1-200104161-ROOT","BRANCH-INCSCHED1-200104251-ROOT","BRANCH-INCSCHED1-200105231-ROOT","BRANCH-INCSCHED1-200105251-ROOT","BRANCH-INCSCHED1-ROOT","BRANCH-PLUGINVER1-20010422-ROOT","BRANCH-PLUGINVER1-ROOT","BRANCH-RELEASE-0_3_3-ROOT","BRANCH-RELEASE-0_3_4-ROOT","BRANCH-RELEASE-0_4_0-ROOT","BRANCH-RELEASE-0_4_1-ROOT","BRANCH-RELEASE-0_4_2-ROOT","BRANCH-RELEASE-0_5_0-ROOT","BRANCH-RELEASE-0_5_1-ROOT","BRANCH-RELEASE-0_5_2-ROOT","BRANCH-RELEASE-0_7_2-ROOT","BRANCH-RELEASE-0_7_4-ROOT","BRANCH-RELEASE-0_7_5-ROOT","CAPS-MERGE-1","CAPS-MERGE-2","CAPS-MERGE-3","CAPS-ROOT","CHANGELOG_START","DEBIAN-0_3_1-1","EVENTS1-200110161-FREEZE","GIT_CONVERSION","GOBJECT1-200106241","GOBJECT1-200106241-FREEZE","HEAD-20010306-PRE_AUTOPLUG2","HEAD-20010312-PRE_CAPSNEGO1","INCSCHED1-200105251","INCSCHED1-200105251-FREEZE","MOVE-TO-FDO","OSLOSUMMIT1-200303051","PLUGINVER1-20010422","PLUGINVER1-20010422-FREEZE","RELEASE-0.10.23","RELEASE-0.10.24","RELEASE-0.10.25","RELEASE-0.10.26","RELEASE-0.10.27","RELEASE-0.10.28","RELEASE-0.10.29","RELEASE-0.10.30","RELEASE-0.10.31","RELEASE-0.11.0","RELEASE-0.11.1","RELEASE-0.11.2","RELEASE-0.11.90","RELEASE-0.11.91","RELEASE-0.11.92","RELEASE-0.11.93","RELEASE-0.11.94","RELEASE-0.11.99","RELEASE-0_10_0","RELEASE-0_10_1","RELEASE-0_10_10","RELEASE-0_10_11","RELEASE-0_10_12","RELEASE-0_10_13","RELEASE-0_10_14","RELEASE-0_10_15","RELEASE-0_10_16","RELEASE-0_10_17","RELEASE-0_10_18","RELEASE-0_10_2","RELEASE-0_10_20","RELEASE-0_10_21","RELEASE-0_10_22","RELEASE-0_10_3","RELEASE-0_10_4","RELEASE-0_10_5","RELEASE-0_10_6","RELEASE-0_10_7","RELEASE-0_10_8","RELEASE-0_10_9","RELEASE-0_1_0-SLIPSTREAM","RELEASE-0_1_1-DUCTTAPE","RELEASE-0_2_0-CRITICALMASS","RELEASE-0_2_1-SEDIMASTER","RELEASE-0_2_1-UNKN","RELEASE-0_3_0-EVENTFUL","RELEASE-0_3_1-BELGIANBEER","RELEASE-0_3_2-DOBDAY","RELEASE-0_7_1","RELEASE-0_7_2","RELEASE-0_7_3","RELEASE-0_7_6","RELEASE-0_8_0","RELEASE-0_8_1","RELEASE-0_8_2","RELEASE-0_8_3","RELEASE-0_8_4","RELEASE-0_8_6","RELEASE-0_8_7","RELEASE-0_8_8","RELEASE-0_8_9","RELEASE-0_9_2","RELEASE-0_9_3","RELEASE-0_9_4","RELEASE-0_9_5","RELEASE-0_9_6","RELEASE-0_9_7","TYPEFIND-ROOT","monorepo-start","start"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2920.json","vanir_signatures":[{"id":"CVE-2026-2920-188bb086","target":{"file":"subprojects/gst-plugins-ugly/gst/asfdemux/gstasfdemux.c","function":"gst_asf_demux_parse_stream_object"},"source":"https://gitlab.freedesktop.org/gstreamer/gstreamer@37d7991168a223d0810fd1f4493ec6a8b6a510d3","digest":{"function_hash":"630099599199821968950235743174863390","length":3496},"signature_type":"Function","deprecated":false,"signature_version":"v1"},{"id":"CVE-2026-2920-2cd76640","digest":{"line_hashes":["20221061408367052571050002311203906639","250078494653866724484890594311305166777","11257525651582755729666092504078789926","113476761128070644319027549650961701584","30089253047061385144186779634141332311","180788207409077644687184467353454196575","220936104074267777037086760106473568318","9694142600106015373685299882620129894","176107043756375096429235351534079107432"],"threshold":0.9},"target":{"file":"subprojects/gst-plugins-ugly/gst/asfdemux/gstasfdemux.c"},"source":"https://gitlab.freedesktop.org/gstreamer/gstreamer@37d7991168a223d0810fd1f4493ec6a8b6a510d3","signature_type":"Line","deprecated":false,"signature_version":"v1"},{"id":"CVE-2026-2920-bf2d5e07","digest":{"function_hash":"115539130639084459066131528358185773450","length":1305},"target":{"file":"subprojects/gst-plugins-ugly/gst/asfdemux/gstasfdemux.c","function":"gst_asf_demux_setup_pad"},"source":"https://gitlab.freedesktop.org/gstreamer/gstreamer@37d7991168a223d0810fd1f4493ec6a8b6a510d3","deprecated":false,"signature_type":"Function","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-12T20:28:24Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}