CVE-2026-12892 Red Hat CVE debrief

Who should care

Users of GStreamer's gst-plugins-bad package should be aware of this vulnerability and take steps to mitigate it. This includes updating to a patched version of the package and being cautious when opening H.264 video files from untrusted sources. The vulnerability could potentially be used to cause a denial of service or leak sensitive information.

Technical summary

The vulnerability is caused by a 1-byte heap out-of-bounds read that occurs during parsing of specially crafted H.264 video files. This happens when the parser attempts to check slice boundary information without first verifying that the NAL unit contains enough data beyond the extension header. The vulnerability has a CVSS score of 4.4 and is classified as MEDIUM severity. The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L. The weakness is classified as CWE-125.

Defensive priority

This vulnerability should be prioritized for remediation based on its MEDIUM severity and potential impact on affected systems. Users of GStreamer's gst-plugins-bad package should update to a patched version of the package as soon as possible.

Recommended defensive actions

• Update to a patched version of GStreamer's gst-plugins-bad package
• Be cautious when opening H.264 video files from untrusted sources
• Implement additional security controls to detect and prevent exploitation
• Monitor systems for potential exploitation attempts
• Review and update incident response plans to address potential exploitation

Evidence notes

The CVE was published on June 23, 2026, and modified on June 25, 2026. The vulnerability is classified as CWE-125. The CVSS score is 4.4 and the severity is MEDIUM. The vulnerability could potentially be used to cause a denial of service or leak sensitive information.

Official resources