PatchSiren cyber security CVE debrief
CVE-2026-53701 Red Hat CVE debrief
CVE-2026-53701 is a MEDIUM-severity vulnerability with a CVSS score of 6.5. The vulnerability was published on 2026-06-11T19:16:47.913Z and last modified on 2026-06-11T20:56:29.653Z. The vulnerability affects GStreamer's H.266/VVC PPS picture partition parser in gst-plugins-bad, allowing an out-of-bounds write via a crafted H.266/VVC media file.
- Vendor
- Red Hat
- Product
- Red Hat Enterprise Linux 10
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of GStreamer's gst-plugins-bad, particularly those processing H.266/VVC media files.
Technical summary
The vulnerability is caused by the loop in gst_h266_parser_parse_picture_partition() (gsth266parser.c) iterating without checking that the slice index stays within bounds. This allows writing past three fixed-size arrays (slice_height_in_ctus, slice_top_left_ctu_x, slice_top_left_ctu_y) in the GstH266PPS structure.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply patches or updates provided by the vendor to fix the vulnerability.
- Use secure media file processing practices to minimize exposure.
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide official information about the vulnerability. Additional references include Red Hat's security advisory [ref-4] and bug report [ref-5].
Official resources
CVE-2026-53701 was published on 2026-06-11T19:16:47.913Z and last modified on 2026-06-11T20:56:29.653Z.