CVE-2026-46470 GStreamer CVE debrief

Who should care

Organizations and developers utilizing GStreamer for multimedia processing, particularly those handling MP4 audio content from untrusted sources. System administrators maintaining media servers, transcoding pipelines, or desktop environments with GStreamer dependencies should prioritize patching. Security teams monitoring for denial-of-service vectors in multimedia parsing libraries should track this vulnerability.

Technical summary

The isomp4 plugin in GStreamer gst-plugins-good versions prior to 1.28.2 contains a validation flaw in the qtdemux_audio_caps function. When parsing atom data from MP4 audio tracks, the function performs division operations without sufficient validation of input values, resulting in potential integer division by zero. This condition causes denial of service through application crash or hang when processing crafted MP4 files. The vulnerability is exploitable locally with low attack complexity and requires no privileges or user interaction.

Defensive priority

medium

Recommended defensive actions

• Upgrade GStreamer gst-plugins-good to version 1.28.2 or later to remediate the division-by-zero vulnerability in MP4 audio track parsing.
• Apply the vendor-provided patch from the GStreamer merge request if immediate upgrading is not feasible.
• Review and restrict processing of untrusted MP4 audio files in environments where GStreamer is deployed.
• Monitor GStreamer security advisories for additional guidance related to SA-2026-0018.

Evidence notes

The vulnerability description and affected version range (prior to 1.28.2) are derived from NVD CPE criteria and the official CVE record. The specific function (qtdemux_audio_caps) and plugin (isomp4) are identified in the CVE description. CVSS vector and CWE classification are sourced from NVD metadata.

Official resources