PatchSiren cyber security CVE debrief
CVE-2026-53702 Red Hat CVE debrief
A stack buffer overflow flaw was found in the GStreamer H.265 codec parser library (gst-plugins-bad). When parsing a buffering period SEI message, the parser uses an incorrect loop bound derived from cpb_cnt_minus1[i] (the loop index) instead of the sub-layer 0 CPB count cpb_cnt_minus1[0] from the referenced Sequence Parameter Set. A crafted H.265 video file or stream can cause the parser to write beyond the bounds of stack-allocated CPB delay arrays, resulting in a crash or potential stack memory corruption.
- Vendor
- Red Hat
- Product
- Red Hat Enterprise Linux 10
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of GStreamer H.265 codec parser library (gst-plugins-bad) should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by an incorrect loop bound in the parser, which can lead to a stack buffer overflow when parsing a buffering period SEI message. This can result in a crash or potential stack memory corruption.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to the latest version of GStreamer H.265 codec parser library (gst-plugins-bad) as soon as available.
- Avoid parsing untrusted H.265 video files or streams.
Evidence notes
The CVE-2026-53702 vulnerability was reported by Red Hat.
Official resources
CVE-2026-53702 was published on 2026-06-11T19:16:48.047Z and modified on 2026-06-11T20:56:29.653Z.