How is CVE-2026-52719 exploited?

Network reachability (required): The attacker delivers the malicious JPEG over the network, so the vulnerable service or user agent must be reachable or the user must fetch attacker-controlled content from a remote source. Authentication (not-required): No account or credential is needed; the attacker only needs to get the target to open a crafted file. Victim interaction (required): A user must be socially engineered into opening or previewing a specially crafted JPEG file for the malicious input to reach the vulnerable parser. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific preconditions beyond delivering the crafted file.

What is the impact of CVE-2026-52719?

The affected GStreamer process crashes, making any application that relies on it for media decoding unavailable until restarted. Memory contents from beyond the input buffer are read by the parser, which can expose in-process data such as heap contents to an attacker who can observe the output or error state. Any container workload that processes user-supplied or remotely fetched JPEG content through gst-plugins-bad is within scope of this impact.

Back to search

HIGHCVE-2026-52719Published 2026-06-15Modified 2026-06-15CNA redhat

CVE-2026-52719: Gstreamer1-plugins-bad-free: gstreamer: out-of-bounds read via jpeg segment length validation in va decoder

An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially crafted JPEG file, causing downstream parsing to read beyond the provided input buffer, leading to a crash or potential information disclosure.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 6

HarborGuard Analysis

Synopsis

An out-of-bounds read vulnerability exists in the VA JPEG decoder component of GStreamer's gst-plugins-bad package. The flaw is reachable over the network but requires a user to open a specially crafted JPEG file; no authentication is needed on the attacker's side. Successful exploitation crashes the affected application or leaks memory contents to the attacker. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Red Hat's advisory stream, within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle gst-plugins-bad.

Available

Triage

HarborGuard scores this CVE at CVSS 7.1 (HIGH) and can weight that score against each customer environment's compliance policy to determine urgency and route findings to the appropriate team inbox within the customer org.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Red Hat or the upstream GStreamer project ships a corrected package. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention once that fix lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker delivers the malicious JPEG over the network, so the vulnerable service or user agent must be reachable or the user must fetch attacker-controlled content from a remote source.
AuthenticationNot required
No account or credential is needed; the attacker only needs to get the target to open a crafted file.
Victim interactionRequired
A user must be socially engineered into opening or previewing a specially crafted JPEG file for the malicious input to reach the vulnerable parser.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environment-specific preconditions beyond delivering the crafted file.

Blast Radius

The affected GStreamer process crashes, making any application that relies on it for media decoding unavailable until restarted.
Memory contents from beyond the input buffer are read by the parser, which can expose in-process data such as heap contents to an attacker who can observe the output or error state.
Any container workload that processes user-supplied or remotely fetched JPEG content through gst-plugins-bad is within scope of this impact.

How HarborGuard Handles This

Available on HarborGuard: images containing affected versions of gst-plugins-bad across Red Hat Enterprise Linux 6 through 10 are flagged automatically as the CVE is ingested. Because no upstream fix has been published, the current recommendation is to apply compensating controls where possible: network-policy isolation to restrict which workloads can process externally sourced media, egress filtering to prevent attacker-controlled content from reaching vulnerable decoders, and disabling JPEG hardware-acceleration paths via feature flags or decoder pipeline configuration if the application permits it. HarborGuard monitors the Red Hat and upstream GStreamer advisory feeds on every ingest cycle. The moment a fix version is published, a patched-image rebuild becomes available, and for customers with auto-remediation enabled, a rebuilt image, regression-test run, and PR against affected workloads are triggered without manual intervention.

See how HarborGuard automates this

Affected packages

Red Hat / Red Hat Enterprise Linux 10
Red Hat / Red Hat Enterprise Linux 6
Red Hat / Red Hat Enterprise Linux 7
Red Hat / Red Hat Enterprise Linux 7
Red Hat / Red Hat Enterprise Linux 8
Red Hat / Red Hat Enterprise Linux 9

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

References

Metrics

Get notified