CVE-2026-3085Heap-based Buffer Overflow in Gstreamer

CWE-122Heap-based Buffer OverflowCWE-1284Improper Validation of Specified Quantity in Input11 documents10 sources
Severity
8.8HIGHNVD
EPSS
0.3%
top 46.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Gstreamer
Timeline
PublishedMar 16
Latest updateApr 14

Description

GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of X-QDM RTP payloads. The issue results from the lack of proper validation of the length of user-supplied data prior to co

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDgstreamer/gstreamer< 1.28.1
CVEListV5gstreamer/gstreamer1c6e163aa33962f5ee4a87d29319ccdd5cb67612

🔴Vulnerability Details

4
VulDB
GStreamer rtpqdm2depay heap-based overflow (Nessus ID 304508 / WID-SEC-2026-0525)2026-04-14
GHSA
GHSA-8wvg-qc85-jr5c: GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability2026-03-16
OSV
CVE-2026-3085: GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability2026-03-16
CVEList
GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerability2026-03-13

📋Vendor Advisories

3
Ubuntu
GStreamer Good Plugins vulnerabilities2026-03-30
Red Hat
GStreamer: GStreamer: Remote Code Execution via Heap-based Buffer Overflow in rtpqdm2depay2026-03-13
Debian
CVE-2026-3085: gst-plugins-good1.0 - GStreamer rtpqdm2depay Heap-based Buffer Overflow Remote Code Execution Vulnerab...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-3085 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

2
Bugzilla
CVE-2026-3085 mingw-gstreamer1: GStreamer: Remote Code Execution via Heap-based Buffer Overflow in rtpqdm2depay [fedora-all]2026-03-16
Bugzilla
CVE-2026-3085 GStreamer: GStreamer: Remote Code Execution via Heap-based Buffer Overflow in rtpqdm2depay2026-03-13