CVE-2026-46469 GStreamer CVE debrief

Who should care

Organizations and developers using GStreamer-based multimedia applications for MP4 processing, particularly those handling user-supplied media files. System administrators maintaining Linux distributions or embedded systems with GStreamer dependencies should prioritize patching. Security teams monitoring for denial-of-service conditions in media processing pipelines should be aware of this vulnerability.

Technical summary

The isomp4 plugin in GStreamer gst-plugins-good before 1.28.2 contains an insufficient validation flaw in the qtdemux_parse_trak function. When parsing MP4 audio track atoms, the function performs division operations on atom data without proper validation, allowing a division by zero condition. This integer division by zero (CWE-369) results in application crash and denial of service. The vulnerability is exploitable locally through crafted MP4 files, with no privileges or user interaction required. The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L reflects local attack vector, low attack complexity, no privilege requirements, no user interaction, and low availability impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade GStreamer gst-plugins-good to version 1.28.2 or later to remediate this vulnerability.
• Apply the official patch from the GStreamer project if immediate upgrading is not feasible.
• Validate and sanitize MP4 files from untrusted sources before processing with GStreamer-based applications.
• Monitor application logs for crashes related to MP4 parsing that may indicate exploitation attempts.

Evidence notes

The vulnerability description is derived from the official CVE record and NVD entry. The affected product and version range are confirmed through CPE criteria in the NVD data. The root cause (CWE-369) and CVSS vector are sourced from MITRE's submission. The patch and vendor advisory are explicitly referenced in the CVE record's reference list.

Official resources