GStreamer
open source multimedia framework

GStreamer Spring Hackfest 2026

29-31 May 2026 ยท Nice, France

Join us!
Home
Features
News
Annual Conference
Planet (Blogs)
Download
Applications
Security Center
GitLab
Developers
Documentation
Forum
File a Bug
Artwork
Follow us on Bluesky
Follow us on Mastodon
Chat with us on Matrix

Security Advisory 2026-0021 (CVE-2026-39044)
Summary Integer overflow in WAV parser cue handling
Date 2026-04-07
Affected Versions GStreamer gst-plugins-good < 1.28.2
IDs GStreamer-SA-2026-0021
CVE-2026-39044

Details

An integer overflow in the WAV parser (wavparse) when handling malformed WAV files with cue chunks. The vulnerability occurs during buffer size validation when calculating the expected size for cue entries (ncues * 24), where insufficient bounds checking allows integer overflow during the multiplication operation.

Impact

A malicious third party could trigger a crash in the application, resulting in denial of service, when processing malicious WAV media files. Memory exhaustion may also occur during cue chunk parsing.

Solution

The gst-plugins-good 1.28.2 release addresses the issue. People using older versions of GStreamer should apply the patch and recompile.

References

The GStreamer project

CVE Database Entries

GStreamer 1.28.2 release

Patches

Report a problem on this page.