CVE-2026-12891 Red Hat CVE debrief

Who should care

Developers and administrators using the GStreamer gst-plugins-bad package should be aware of this vulnerability and take necessary precautions. This vulnerability could potentially expose sensitive information from the application's address space. GStreamer-based applications that process H.266 video files or streams are at risk.

Technical summary

The GStreamer gst-plugins-bad package has a flaw in the H.266 parser that performs an out-of-bounds read of up to 8 bytes from adjacent memory when processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator value. This flaw allows an attacker to craft a malicious H.266 video file or stream that, when processed by a GStreamer-based application, could leak limited memory contents through video metadata. The vulnerability has a CVSS score of 4.3 and a Medium severity rating. The flaw is classified under CWE-125.

Defensive priority

Medium priority should be given to patching this vulnerability, as it could potentially expose sensitive information. Administrators should prioritize patching based on the sensitivity of the information processed by GStreamer-based applications.

Recommended defensive actions

• Patch GStreamer gst-plugins-bad package to the latest version
• Restrict access to GStreamer-based applications that process H.266 video files or streams
• Monitor GStreamer-based applications for suspicious activity
• Implement compensating controls to detect and prevent potential memory leaks
• Perform thorough inventory checks to identify affected systems

Evidence notes

The CVE-2026-12891 vulnerability was published on June 23, 2026, and modified on June 25, 2026. The vulnerability is classified under CWE-125. The CVSS score is 4.3, with a Medium severity rating. Limited information is available about the affected scope and vendor remediation workflow.

Official resources