Gstreamer: gstreamer: rfbsrc/librfb hextile heap out-of-bounds write with 16bpp framebuffer
Summary
| CVE | CVE-2026-59691 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-09 11:16:41 UTC |
| Updated | 2026-07-09 16:39:17 UTC |
| Description | A heap buffer overflow vulnerability was found in GStreamer's rfbsrc plugin. When a client connects to a malicious RFB/VNC server that advertises a 16bpp framebuffer and sends Hextile-encoded updates, the Hextile background fill path writes 32-bit pixel values into a buffer allocated for 16-bit pixels. This type mismatch causes an out-of-bounds heap write that can lead to denial of service (process crash) and potential memory corruption. |
Risk And Classification
Primary CVSS: v3.1 7.1 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Problem Types: CWE-787 | CWE-787 Out-of-bounds Write
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 7.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H |
| 3.1 | CNA | CVSS | 7.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| gitlab.freedesktop.org/gstreamer/gstreamer-security/-/merge_requests/100 | [email protected] | gitlab.freedesktop.org | |
| access.redhat.com/security/cve/CVE-2026-59691 | [email protected] | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | [email protected] | bugzilla.redhat.com | |
| gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5173 | [email protected] | gitlab.freedesktop.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Red Hat would like to thank Clouditera Security (Clouditera), NSFOCUS (NSFOCUS), and Z.ai Security (Z.ai) for reporting this issue. (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-07-06T00:00:00.000Z | Reported to Red Hat. |
| CNA | 2026-07-08T00:00:00.000Z | Made public. |
Workarounds
CNA: There is no complete mitigation for this vulnerability. The following measures can reduce risk: 1. Do not connect GStreamer pipelines using rfbsrc to untrusted or unknown VNC servers. 2. If the rfbsrc plugin is not required, remove the librfb plugin shared object from the GStreamer plugins directory (typically /usr/lib64/gstreamer-1.0/libgstrfbsrc.so). 3. Network-level controls (firewall rules) can restrict outbound VNC connections to trusted servers only.