Home

Description

An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_ROUND_UP_2(lsize) used in the actual offset calculation. When lsize is an odd number, the parser advances more bytes than validated, causing OOB read.

PUBLISHED Reserved 2026-02-04 | Published 2026-03-23 | Updated 2026-03-24 | Assigner redhat




MEDIUM: 5.1CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Product status

Default status
affected

Default status
unknown

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Timeline

2026-02-04:Reported to Red Hat.
2026-02-25:Made public.

Credits

Red Hat would like to thank wooseokdotkim for reporting this issue.

References

access.redhat.com/security/cve/CVE-2026-1940 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2436932 (RHBZ#2436932) issue-tracking

gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4854

gstreamer.freedesktop.org/security/sa-2026-0001.html

security-tracker.debian.org/tracker/CVE-2026-1940

cve.org (CVE-2026-1940)

nvd.nist.gov (CVE-2026-1940)

Download JSON