← All CVEs

CVE-2026-52718

MEDIUM 6.5

Published 2026-06-15 · Last modified 2026-06-16

A denial of service vulnerability was found in GStreamer's AV1 codec parser in gst-plugins-bad. The gst_av1_parser_parse_tile_list_obu() function passes a byte count to a bit-reader API that expects a bit count, causing parser desynchronization. A remote attacker could trick a user into opening a specially crafted AV1 media file, triggering an assertion abort and causing the application to crash.

NO EXPLOITATION SIGNALS

No known exploitation, public exploit, or elevated probability at this time. Track for changes.

Exploitation likelihood

0.3%chance of exploitation in 30 days · 22nd percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

6.5CVSS 3.1 · MEDIUM

  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityHigh

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: A user must take an action (click / open a file)
  • Complexity: No special conditions — reliably repeatable

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Red Hat

Products Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9

Weakness (CWE)

  • CWE-617

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Sources: NVD · CVE.org · EPSS