| Package | gst-plugins-ugly1.0 |
|---|---|
| Version | 1.10.4-1+deb9u3 (stretch), 1.14.4-1+deb10u3 (buster) |
| Related CVEs | CVE-2026-2920 CVE-2026-2922 |
Two vulnerabilities were discovered in gst-plugins-ugly1.0, a set of GStreamer plugins from the “ugly” set.
CVE-2026-2920
The ASF demuxer did not validate the number of streams against
the size of its static streams array. A crafted ASF file with
more than 32 streams could cause a heap-based buffer overflow
and potentially allow code execution.
CVE-2026-2922
The RealMedia demuxer checked for too many video fragments after
writing to the fragment storage, allowing an out-of-bounds write.
Additionally, an integer overflow in the fragment size check could
bypass the available data validation.
For Debian 10 buster, these problems have been fixed in version 1.14.4-1+deb10u3.
For Debian 9 stretch, these problems have been fixed in version 1.10.4-1+deb9u3.
We recommend that you upgrade your gst-plugins-ugly1.0 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.