Security Advisory - Published 2026-06-16 - GStreamer Media Framework

GStreamer CVE-2026-52719, CVE-2026-52720, and CVE-2026-52722: check untrusted media paths

This June 2026 GStreamer batch affects systems that parse, preview, index, transcode, or open media from untrusted sources. CVE-2026-52719 is fixed in gst-plugins-bad 1.28.4 according to the GStreamer advisory. CVE-2026-52720 and CVE-2026-52722 are tracked by Red Hat for GStreamer librfb and VMnc decoder handling.

Defensive scope: use this page for owned Linux desktops, servers, CI/media pipelines, file portals, and client-approved reviews. It does not include crafted media files or reproduction steps.

Who should check

CVE-2026-52719VA JPEG decoder out-of-bounds read in gst-plugins-bad before 1.28.4
CVE-2026-52720GStreamer librfb RFB/VNC client heap overflow risk
CVE-2026-52722GStreamer VMnc decoder signed integer overflow risk
High-risk useUpload previewers, thumbnail generators, media transcoders, support-ticket attachments, VNC/RFB viewers, desktop file indexers, and sandboxed media analysis jobs

Package check

gst-inspect-1.0 --version
gst-inspect-1.0 | rg -i "jpeg|va|rfb|vnc|vmnc|bad"
rpm -qa | rg -i "gstreamer|gst-plugins"
dpkg -l | rg -i "gstreamer|gst-plugins"

Use the package manager that matches the host. Containers and workers can carry their own GStreamer packages, so check the runtime image used by preview, conversion, and indexing jobs as well as the base operating system.

Exposure review

  • File upload features that generate previews, thumbnails, waveform images, PDF/media embeds, or converted derivatives.
  • Ticketing, chat, LMS, DAM, CMS, and research portals that accept JPEG, video, archive, or remote-media attachments.
  • Desktop environments where file managers, video players, or search indexers automatically inspect downloaded files.
  • VNC/RFB workflows where users or automation connect to servers outside your trust boundary.
  • Batch media pipelines that process files from customers, partners, crawlers, or public buckets.

Logs and crash indicators

journalctl --since "2026-06-12" | rg -i "gstreamer|gst|thumbnail|tracker|localsearch|jpeg|rfb|vnc|vmnc|segfault|core dumped"
rg -n "gstreamer|gst|thumbnail|transcode|jpeg|rfb|vnc|vmnc|segfault|core dumped|SIGSEGV" logs/ 2>nul

A clean review has patched packages, no unexplained media-worker crashes, no repeated thumbnailer failures from one file source, no sudden queue backlog, and no VNC/RFB client crashes after connecting to unfamiliar endpoints.

Safe fix path

  1. Apply vendor packages for GStreamer and gst-plugins-bad. Where source builds are used, move gst-plugins-bad to 1.28.4 or newer for CVE-2026-52719.
  2. Restart services, workers, desktop sessions, containers, and queue consumers that have loaded old GStreamer libraries.
  3. Temporarily disable automatic previews or transcoding for untrusted uploads if packages are not available yet.
  4. Run media processing in constrained workers with memory, CPU, file-system, and network limits.
  5. Preserve suspicious files and logs if a crash pattern appears, then handle the files as evidence rather than opening them on an analyst workstation.

When to request repair help

Use Ping7 CVE Repair when upload previews or media workers crash, package state differs between hosts and containers, or you cannot tell which service is loading GStreamer. Send the distro, package versions, container image tags, crash timestamps, and whether untrusted users can upload media.

References