How is CVE-2026-52722 exploited?

Network reachability (required): The attacker delivers a malicious VMnc file over the network, so the target service or user must be reachable from an external or remote origin. Authentication (not-required): No account or credential is required; the attacker only needs to get the crafted file in front of a user. Victim interaction (required): A user must be socially engineered into opening the specially crafted VMnc file for the overflow to trigger. Attack complexity (info): Exploit conditions are straightforward and reliable once the file is opened; no race conditions or special memory layout is required.

What is the impact of CVE-2026-52722?

The affected GStreamer process crashes, terminating any media pipeline or application relying on VMnc playback. Out-of-bounds reads expose regions of process memory, which may contain session tokens, decoded frame buffers, or other in-process data.

Back to search

HIGHCVE-2026-52722Published 2026-06-15Modified 2026-06-15CNA redhat

CVE-2026-52722: Gstreamer1-plugins-bad-free: gstreamer: signed integer overflow in vmnc decoder cursor payload handling

A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a specially crafted VMnc file, potentially causing a crash or information disclosure.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 6

HarborGuard Analysis

Synopsis

A signed integer overflow vulnerability exists in GStreamer's VMnc decoder, affecting Red Hat Enterprise Linux across all major versions (6 through 10). The flaw is reachable over the network but requires a user to open a crafted VMnc media file; no authentication is needed from the attacker's side. Successful exploitation causes the application to crash or leaks memory contents to the attacker. No upstream fix has been published yet; HarborGuard tracks this advisory and will flag affected images the moment a patch becomes available.

HarborGuard Coverage

Detection

Detection for CVE-2026-52722 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Red Hat's advisory stream) within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle GStreamer packages.

Available

Triage

HarborGuard scores this CVE at CVSS 7.1 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the inbox or ticket queue configured for each customer organization, so the right team sees it without manual sorting.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Red Hat advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix ships. In the meantime, the advisory remains open in each affected environment's finding list so it stays visible and actionable.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker delivers a malicious VMnc file over the network, so the target service or user must be reachable from an external or remote origin.
AuthenticationNot required
No account or credential is required; the attacker only needs to get the crafted file in front of a user.
Victim interactionRequired
A user must be socially engineered into opening the specially crafted VMnc file for the overflow to trigger.
Attack complexityDetail
Exploit conditions are straightforward and reliable once the file is opened; no race conditions or special memory layout is required.

Blast Radius

The affected GStreamer process crashes, terminating any media pipeline or application relying on VMnc playback.
Out-of-bounds reads expose regions of process memory, which may contain session tokens, decoded frame buffers, or other in-process data.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-52722 at this time, HarborGuard monitors the Red Hat advisory on every ingest cycle and will trigger a patched-image rebuild automatically as soon as a fix version is published. For environments where this CVE represents unacceptable risk right now, compensating controls worth considering include network-policy rules that restrict which workloads can process untrusted media input, egress filtering to limit what a compromised GStreamer process can reach, and feature-flag or entrypoint gating to disable VMnc codec support in containers where that format is not operationally required. The open finding remains visible in each affected environment's HarborGuard dashboard so it does not go stale while the vendor works toward a patch.

See how HarborGuard automates this

Affected packages

Red Hat / Red Hat Enterprise Linux 10
Red Hat / Red Hat Enterprise Linux 6
Red Hat / Red Hat Enterprise Linux 7
Red Hat / Red Hat Enterprise Linux 7
Red Hat / Red Hat Enterprise Linux 8
Red Hat / Red Hat Enterprise Linux 9

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

References

Metrics

Get notified