Fluid Attacks Database

Description

An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially crafted JPEG file, causing downstream parsing to read beyond the provided input buffer, leading to a crash or potential information disclosure.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel7	gstreamer1-plugins-bad-free	-	-
debian 11	gst-plugins-bad1.0	=1.18.4-3 \|\| =1.18.4-3+deb11u1 \|\| =1.18.4-3+deb11u2 \|\| =1.18.4-3+deb11u3 \|\| =1.18.4-3+deb11u4 \|\| =1.18.4-3+deb11u5 \|\| =1.18.4-3+deb11u6 \|\| =1.18.5-1 \|\| =1.19.90-1 \|\| =1.20.0-1 \|\| =1.20.0-2 \|\| =1.20.0-3 \|\| =1.20.0-4 \|\| =1.20.1-1 \|\| =1.20.1-2 \|\| =1.20.2-1 \|\| =1.20.3-1 \|\| =1.20.3-2 \|\| =1.20.4-1 \|\| =1.20.5-1 \|\| =1.22.0-1 \|\| =1.22.0-2 \|\| =1.22.0-3 \|\| =1.22.0-4 \|\| =1.22.1-1 \|\| =1.22.10-1 \|\| =1.22.3-1 \|\| =1.22.3-2 \|\| =1.22.4-1 \|\| =1.22.7-1 \|\| =1.22.8-1 \|\| =1.22.9-1 \|\| =1.22.9-2 \|\| =1.23.1-1 \|\| =1.23.2-1 \|\| =1.23.90-1 \|\| =1.24.0-1 \|\| =1.24.1-1 \|\| =1.24.1-2 \|\| =1.24.1-3 \|\| =1.24.1-4 \|\| =1.24.10-1 \|\| =1.24.10-2 \|\| =1.24.10-2+hurd.1 \|\| =1.24.10-3 \|\| =1.24.11-1 \|\| =1.24.11-2 \|\| =1.24.11-3 \|\| =1.24.12-1 \|\| =1.24.12-2 \|\| =1.24.12-3 \|\| =1.24.2-1 \|\| =1.24.2-2 \|\| =1.24.2-3 \|\| =1.24.2-4 \|\| =1.24.3-1 \|\| =1.24.4-1 \|\| =1.24.4-2 \|\| =1.24.5-1 \|\| =1.24.6-1 \|\| =1.24.7-1 \|\| =1.24.8-1 \|\| =1.24.8-2 \|\| =1.24.9-1 \|\| =1.25.1-1 \|\| =1.25.1-2 \|\| =1.25.1-3 \|\| =1.25.50-1 \|\| =1.25.90-1 \|\| =1.25.90-2 \|\| =1.25.90-3 \|\| =1.26.0-1 \|\| =1.26.1-1 \|\| =1.26.10-1 \|\| =1.26.10-2 \|\| =1.26.2-1 \|\| =1.26.2-2 \|\| =1.26.2-3 \|\| =1.26.3-1 \|\| =1.26.4-1 \|\| =1.26.5-1 \|\| =1.26.5-2 \|\| =1.26.6-1 \|\| =1.26.6-2 \|\| =1.26.6-3 \|\| =1.26.6-4 \|\| =1.26.6-5 \|\| =1.26.7-1 \|\| =1.26.7-2 \|\| =1.26.8-1 \|\| =1.26.9-1 \|\| =1.27.1-1 \|\| =1.27.2-1 \|\| =1.27.50-1 \|\| =1.27.90-1 \|\| =1.27.90-2 \|\| =1.27.90-3 \|\| =1.28.0-1 \|\| =1.28.1-1 \|\| =1.28.1-2 \|\| =1.28.1-3 \|\| =1.28.2-1 \|\| =1.28.2-2 \|\| =1.28.3-1 \|\| =1.28.4-1 \|\| =1.29.1-1	-
debian 12	gst-plugins-bad1.0	=1.22.0-4 \|\| =1.22.0-4+deb12u1 \|\| =1.22.0-4+deb12u2 \|\| =1.22.0-4+deb12u3 \|\| =1.22.0-4+deb12u4 \|\| =1.22.0-4+deb12u5 \|\| =1.22.0-4+deb12u6 \|\| =1.22.0-4+deb12u7 \|\| =1.22.1-1 \|\| =1.22.10-1 \|\| =1.22.3-1 \|\| =1.22.3-2 \|\| =1.22.4-1 \|\| =1.22.7-1 \|\| =1.22.8-1 \|\| =1.22.9-1 \|\| =1.22.9-2 \|\| =1.23.1-1 \|\| =1.23.2-1 \|\| =1.23.90-1 \|\| =1.24.0-1 \|\| =1.24.1-1 \|\| =1.24.1-2 \|\| =1.24.1-3 \|\| =1.24.1-4 \|\| =1.24.10-1 \|\| =1.24.10-2 \|\| =1.24.10-2+hurd.1 \|\| =1.24.10-3 \|\| =1.24.11-1 \|\| =1.24.11-2 \|\| =1.24.11-3 \|\| =1.24.12-1 \|\| =1.24.12-2 \|\| =1.24.12-3 \|\| =1.24.2-1 \|\| =1.24.2-2 \|\| =1.24.2-3 \|\| =1.24.2-4 \|\| =1.24.3-1 \|\| =1.24.4-1 \|\| =1.24.4-2 \|\| =1.24.5-1 \|\| =1.24.6-1 \|\| =1.24.7-1 \|\| =1.24.8-1 \|\| =1.24.8-2 \|\| =1.24.9-1 \|\| =1.25.1-1 \|\| =1.25.1-2 \|\| =1.25.1-3 \|\| =1.25.50-1 \|\| =1.25.90-1 \|\| =1.25.90-2 \|\| =1.25.90-3 \|\| =1.26.0-1 \|\| =1.26.1-1 \|\| =1.26.10-1 \|\| =1.26.10-2 \|\| =1.26.2-1 \|\| =1.26.2-2 \|\| =1.26.2-3 \|\| =1.26.3-1 \|\| =1.26.4-1 \|\| =1.26.5-1 \|\| =1.26.5-2 \|\| =1.26.6-1 \|\| =1.26.6-2 \|\| =1.26.6-3 \|\| =1.26.6-4 \|\| =1.26.6-5 \|\| =1.26.7-1 \|\| =1.26.7-2 \|\| =1.26.8-1 \|\| =1.26.9-1 \|\| =1.27.1-1 \|\| =1.27.2-1 \|\| =1.27.50-1 \|\| =1.27.90-1 \|\| =1.27.90-2 \|\| =1.27.90-3 \|\| =1.28.0-1 \|\| =1.28.1-1 \|\| =1.28.1-2 \|\| =1.28.1-3 \|\| =1.28.2-1 \|\| =1.28.2-2 \|\| =1.28.3-1 \|\| =1.28.4-1 \|\| =1.29.1-1	-
debian 13	gst-plugins-bad1.0	=1.26.2-3 \|\| =1.26.2-3+deb13u1 \|\| >=0 <1.26.2-3+deb13u2	1.26.2-3+deb13u2
debian 14	gst-plugins-bad1.0	=1.26.10-1 \|\| =1.26.10-2 \|\| =1.26.2-3 \|\| =1.26.3-1 \|\| =1.26.4-1 \|\| =1.26.5-1 \|\| =1.26.5-2 \|\| =1.26.6-1 \|\| =1.26.6-2 \|\| =1.26.6-3 \|\| =1.26.6-4 \|\| =1.26.6-5 \|\| =1.26.7-1 \|\| =1.26.7-2 \|\| =1.26.8-1 \|\| =1.26.9-1 \|\| =1.27.1-1 \|\| =1.27.2-1 \|\| =1.27.50-1 \|\| =1.27.90-1 \|\| =1.27.90-2 \|\| =1.27.90-3 \|\| =1.28.0-1 \|\| =1.28.1-1 \|\| =1.28.1-2 \|\| =1.28.1-3 \|\| =1.28.2-1 \|\| =1.28.2-2 \|\| =1.28.3-1 \|\| >=0 <1.28.4-1	1.28.4-1
rpm rhel6	gstreamer-plugins-bad-free	-	-
rpm rhel7	gstreamer-plugins-bad-free	-	-
rpm rhel10	gstreamer1-plugins-bad-free	-	-
rpm rhel8	gstreamer1-plugins-bad-free	-	-
rpm rhel9	gstreamer1-plugins-bad-free	-	-

Aliases

1. CVE-2026-527192. NVD-2026-527193. OSV-2026-527194. OSV-DEBIAN-2026-527195. SECURITY-TRACKER-CVE-2026-52719

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.