PatchSiren cyber security CVE debrief
CVE-2026-52718 Red Hat CVE debrief
A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash.
- Vendor
- Red Hat
- Product
- Red Hat Enterprise Linux 10
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of GStreamer's AV1 codec parser in gst-plugins-bad should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by the gst_av1_parser_parse_tile_list_obu() function passing a byte count to a bit-reader API that expects a bit count. This causes parser desynchronization, leading to an assertion abort and application crash.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to the latest version of gst-plugins-bad
- Avoid opening untrusted AV1 media files
Evidence notes
The vendor is listed as Unknown Vendor, but evidence suggests a connection to Redhat.
Official resources
CVE-2026-52718 was published on 2026-06-15T20:16:32.317Z and modified on 2026-06-15T21:09:52.020Z.