Security Advisory - Published 2026-06-16 - GStreamer Media Framework
GStreamer CVE-2026-52719, CVE-2026-52720, and CVE-2026-52722: check untrusted media paths
This June 2026 GStreamer batch affects systems that parse, preview, index, transcode, or open media from untrusted sources. CVE-2026-52719 is fixed in gst-plugins-bad 1.28.4 according to the GStreamer advisory. CVE-2026-52720 and CVE-2026-52722 are tracked by Red Hat for GStreamer librfb and VMnc decoder handling.
Who should check
| CVE-2026-52719 | VA JPEG decoder out-of-bounds read in gst-plugins-bad before 1.28.4 |
|---|---|
| CVE-2026-52720 | GStreamer librfb RFB/VNC client heap overflow risk |
| CVE-2026-52722 | GStreamer VMnc decoder signed integer overflow risk |
| High-risk use | Upload previewers, thumbnail generators, media transcoders, support-ticket attachments, VNC/RFB viewers, desktop file indexers, and sandboxed media analysis jobs |
Package check
gst-inspect-1.0 --version
gst-inspect-1.0 | rg -i "jpeg|va|rfb|vnc|vmnc|bad"
rpm -qa | rg -i "gstreamer|gst-plugins"
dpkg -l | rg -i "gstreamer|gst-plugins" Use the package manager that matches the host. Containers and workers can carry their own GStreamer packages, so check the runtime image used by preview, conversion, and indexing jobs as well as the base operating system.
Exposure review
- File upload features that generate previews, thumbnails, waveform images, PDF/media embeds, or converted derivatives.
- Ticketing, chat, LMS, DAM, CMS, and research portals that accept JPEG, video, archive, or remote-media attachments.
- Desktop environments where file managers, video players, or search indexers automatically inspect downloaded files.
- VNC/RFB workflows where users or automation connect to servers outside your trust boundary.
- Batch media pipelines that process files from customers, partners, crawlers, or public buckets.
Logs and crash indicators
journalctl --since "2026-06-12" | rg -i "gstreamer|gst|thumbnail|tracker|localsearch|jpeg|rfb|vnc|vmnc|segfault|core dumped"
rg -n "gstreamer|gst|thumbnail|transcode|jpeg|rfb|vnc|vmnc|segfault|core dumped|SIGSEGV" logs/ 2>nul A clean review has patched packages, no unexplained media-worker crashes, no repeated thumbnailer failures from one file source, no sudden queue backlog, and no VNC/RFB client crashes after connecting to unfamiliar endpoints.
Safe fix path
- Apply vendor packages for GStreamer and gst-plugins-bad. Where source builds are used, move gst-plugins-bad to 1.28.4 or newer for CVE-2026-52719.
- Restart services, workers, desktop sessions, containers, and queue consumers that have loaded old GStreamer libraries.
- Temporarily disable automatic previews or transcoding for untrusted uploads if packages are not available yet.
- Run media processing in constrained workers with memory, CPU, file-system, and network limits.
- Preserve suspicious files and logs if a crash pattern appears, then handle the files as evidence rather than opening them on an analyst workstation.
When to request repair help
Use Ping7 CVE Repair when upload previews or media workers crash, package state differs between hosts and containers, or you cannot tell which service is loading GStreamer. Send the distro, package versions, container image tags, crash timestamps, and whether untrusted users can upload media.