HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-53704Published Modified CNA redhat

CVE-2026-53704: Gstreamer1-plugins-ugly-free: gstreamer: out-of-bounds read in realmedia demuxer fileinfo metadata parser

A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using re_skip_pascal_string() without validating that offsets remain within the mapped buffer. Additionally, the element count controlling the parsing loop is read from attacker-controlled data without validation, which can cause an infinite loop. A crafted RealMedia file can cause the application to crash, hang, or potentially read limited adjacent memory contents.

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
Affected Products
4

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds read vulnerability exists in the RealMedia demuxer component of GStreamer's gst-plugins-ugly package. The flaw is reachable over the network and requires no authentication, but a user must open a crafted RealMedia file, making this a user-interaction-dependent attack. Successful exploitation crashes the application, potentially hangs it indefinitely due to an unvalidated loop counter, or leaks a limited amount of adjacent memory contents. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-53704 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Red Hat advisories within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle gst-plugins-ugly. Coverage applies regardless of whether the base image is an official Red Hat image or a derived internal build.

Available
Triage

Triage is available using the CVSS v3.1 score of 7.1 (HIGH), weighted further against each customer environment's compliance policy and asset classification. Findings are routed to the appropriate team inbox within each customer organization based on configured severity thresholds and ownership mappings.

Available
Patch

Because no upstream fix has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Red Hat or the upstream GStreamer project ships a corrective release. In the interim, HarborGuard surfaces the finding with full advisory context so teams can apply compensating controls while the fix is pending.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The crafted RealMedia file can be delivered over the network, for example via a download or streaming link, so the attacker must be able to reach the victim's application across the network.

  • AuthenticationNot required

    No account or credential is needed; the attacker only needs to deliver the malicious file to an unauthenticated user.

  • Victim interactionRequired

    A user must actively open or play the specially crafted RealMedia file, requiring some form of social engineering to trigger the vulnerable code path.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the victim opens the file; no race condition, memory-layout dependency, or special environment configuration is required.

Blast Radius

  • Crashes the application processing the RealMedia file, causing a denial of service for the affected user session.
  • Hangs the application indefinitely when the unvalidated element count triggers an infinite parsing loop, requiring a manual process kill or restart.
  • Reads a limited amount of adjacent memory contents beyond the mapped buffer boundary, which may expose nearby in-process data such as string literals or metadata fragments.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this advisory across all customer environments where gst-plugins-ugly is present in scanned images. Because no upstream patch exists today, HarborGuard re-checks the Red Hat and GStreamer advisory feeds on every ingest cycle and will automatically make a patched-image rebuild available, and open a PR against affected workloads for customers with auto-remediation enabled, as soon as a fix version is published. While the fix is pending, HarborGuard recommends applying compensating controls: use network policy to restrict which workloads can receive untrusted media files, add egress filtering to prevent attacker-controlled content from reaching GStreamer-processing containers, and consider disabling RealMedia format support via feature-flag or plugin-exclusion configuration if the format is not required in the affected environment.

See how HarborGuard automates this
Affected packages
  • Red Hat / Red Hat Enterprise Linux 10
  • Red Hat / Red Hat Enterprise Linux 7
  • Red Hat / Red Hat Enterprise Linux 8
  • Red Hat / Red Hat Enterprise Linux 9
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
References