Debian LTS DLA-4516-1 gst-plugins-ugly1.0 Critical Buffer Overflow Risk 2026-2920
debian lts
March 30, 2026
Two vulnerabilities were discovered in gst-plugins-ugly1.0, a set of GStreamer plugins from the "ugly" set
Topics Covered
Summary
CVE-2026-2920
The ASF demuxer did not validate the number of streams against
the size of its static streams array. A crafted ASF file with
more than 32 streams could cause a heap-based buffer overflow
and potentially allow code execution.
CVE-2026-2922
The RealMedia demuxer checked for too many video fragments after
writing to the fragment storage, allowing an out-of-bounds write.
Additionally, an integer overflow in the fragment size check could
bypass the available data validation.
For Debian 11 bullseye, these problems have been fixed in version
1.18.4-2+deb11u2.
We recommend that you upgrade your gst-plugins-ugly1.0 packages.
For the detailed security status of gst-plugins-ugly1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/gst-plugins-ugly1.0
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: gst-plugins-ugly1.0
Version: 1.18.4-2+deb11u2
CVE ID: CVE-2026-2920 CVE-2026-2922
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!