How is CVE-2026-52720 exploited?

Network reachability (required): The attacker must operate a reachable VNC server that the victim connects to over the network. Authentication (not-required): No credentials are needed on the attacker side; the malicious server is openly accessible. Victim interaction (required): A user must be tricked into connecting their GStreamer-based VNC client to the attacker-controlled server, making social engineering a prerequisite. Attack complexity (info): The exploit is reliable and condition-free once the victim connects; no race conditions or special memory layout knowledge are required (AC:L).

What is the impact of CVE-2026-52720?

An attacker achieves an out-of-bounds heap write, providing a strong primitive for arbitrary code execution within the GStreamer process. All data accessible to the process, including media streams, session state, and local credentials, is exposed to reading and modification. The attacker can modify in-memory application state or inject malicious payloads that persist for the session lifetime. Triggering the overflow can crash the GStreamer process outright, disrupting any media pipeline or VNC-dependent service relying on it.

Back to search

HIGHCVE-2026-52720Published 2026-06-15Modified 2026-06-15CNA redhat

CVE-2026-52720: Gstreamer1-plugins-bad-free: gstreamer: heap buffer overflow via crafted vnc server rectangle in librfb

A heap buffer overflow vulnerability was found in GStreamer's librfb (RFB/VNC client). The rectangle bounds check incorrectly validates area rather than individual dimensions, allowing a malicious VNC server to send a rectangle that extends beyond the framebuffer. A remote attacker could set up a malicious VNC server and trick a user into connecting, resulting in an out-of-bounds heap write that could lead to code execution or a crash.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 6

HarborGuard Analysis

Synopsis

A heap buffer overflow exists in GStreamer's librfb RFB/VNC client component within gstreamer1-plugins-bad-free. The vulnerability is reachable over the network without authentication, but requires a user to connect to a malicious VNC server, derived from the CVSS vector (AV:N/AC:L/PR:N/UI:R). Successful exploitation gives an attacker an out-of-bounds heap write that leads to arbitrary code execution or a crash. HarborGuard is tracking the advisory for patch availability, as no fix versions have been published upstream.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle gstreamer1-plugins-bad-free.

Available

Triage

HarborGuard scores this CVE at 8.8 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy, routing actionable findings to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must operate a reachable VNC server that the victim connects to over the network.
AuthenticationNot required
No credentials are needed on the attacker side; the malicious server is openly accessible.
Victim interactionRequired
A user must be tricked into connecting their GStreamer-based VNC client to the attacker-controlled server, making social engineering a prerequisite.
Attack complexityDetail
The exploit is reliable and condition-free once the victim connects; no race conditions or special memory layout knowledge are required (AC:L).

Blast Radius

An attacker achieves an out-of-bounds heap write, providing a strong primitive for arbitrary code execution within the GStreamer process.
All data accessible to the process, including media streams, session state, and local credentials, is exposed to reading and modification.
The attacker can modify in-memory application state or inject malicious payloads that persist for the session lifetime.
Triggering the overflow can crash the GStreamer process outright, disrupting any media pipeline or VNC-dependent service relying on it.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists yet, affected images containing gstreamer1-plugins-bad-free across Red Hat Enterprise Linux 6 through 10 are flagged and monitored continuously. HarborGuard re-checks the Red Hat advisory on every ingest cycle, typically every few minutes, and will make a patched-image rebuild available automatically the moment an upstream fix is published. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention. In the interim, compensating controls worth applying include network-policy rules that prevent container workloads from initiating outbound VNC connections to untrusted hosts, egress filtering at the cluster boundary, and disabling the GStreamer RFB/VNC plugin via feature-flag or package removal if VNC playback is not required by the workload.

See how HarborGuard automates this

Affected packages

Red Hat / Red Hat Enterprise Linux 10
Red Hat / Red Hat Enterprise Linux 6
Red Hat / Red Hat Enterprise Linux 7
Red Hat / Red Hat Enterprise Linux 7
Red Hat / Red Hat Enterprise Linux 8
Red Hat / Red Hat Enterprise Linux 9

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified