Andere informatie en diensten van de overheid: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Multiple critical vulnerabilities in GStreamer, Patch Immediately!

Image
Decorative image
Gepubliceerd : 16/03/2026

. * Last Update: 16/03/2026

    * Affected products:
         → GStreamer

    * Type: Denial of Service, Remote Code Execution

    * CVE/CVSS:

  • CVE-2026-2920: CVSS 7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
  • CVE-2026-2922: CVSS 7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
  • CVE-2026-2923: CVSS 7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
  • CVE-2026-3081: CVSS 7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
  • CVE-2026-3082: CVSS 7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
  • CVE-2026-3086: CVSS 7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
  • CVE-2026-3085: CVSS 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
  • CVE-2026-3083: CVSS 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
  • CVE-2026-2921: CVSS 7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
  • CVE-2026-3084: CVSS 7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Sources

GStreamer - https://gstreamer.freedesktop.org/security/

Risks

Multiple vulnerabilities were discovered in GStreamer allowing attackers to execute unauthorized code, potentially exposing sensitive company data and disrupting operations.

GStreamer is a multimedia framework used by developers to build applications for streaming audio, video and other media formats across various operating systems.

If exploited this could lead to data breaches, system compromise and operational downtime impacting confidentiality, integrity and availability of critical businesses.

Description

Multiple critical RCE vulnerabilities have been identified in GStreamer, the open-source multimedia framework, disclosed on the 13 of March 2026. These flaws exist across multiple media parsers and demuxers, including ASF, RealMedia, DVB Subtitles, JPEG, RIFF, H.265 and H.266.

They are caused by memory safety issues such as heap/stack buffer overflows, out-of-bounds writes, and integer overflows/underflows (CVSS 7.8).

The two most severe flaws CVE-2026-3083 and CVE-2026-3085 (CVSS 8.8) reside in the rtpqdm2depay component and are remotely exploitable over the network via maliciously crafted RTP streams.

All reported vulnerabilities have been patched in the latest GStreamer release and organizations are strongly advised to update immediately and restrict processing of untrusted media content.

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Zero Day Initiative - https://www.zerodayinitiative.com/advisories/ZDI-26-167/