{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-59691","assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","state":"PUBLISHED","assignerShortName":"redhat","dateReserved":"2026-07-06T13:40:46.923Z","datePublished":"2026-07-09T09:34:47.743Z","dateUpdated":"2026-07-09T13:50:41.903Z"},"containers":{"cna":{"title":"Gstreamer: gstreamer: rfbsrc/librfb hextile heap out-of-bounds write with 16bpp framebuffer","metrics":[{"other":{"content":{"value":"Important","namespace":"https://access.redhat.com/security/updates/classification/"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H","version":"3.1"},"format":"CVSS"}],"descriptions":[{"lang":"en","value":"A heap buffer overflow vulnerability was found in GStreamer's rfbsrc plugin. When a client connects to a malicious RFB/VNC server that advertises a 16bpp framebuffer and sends Hextile-encoded updates, the Hextile background fill path writes 32-bit pixel values into a buffer allocated for 16-bit pixels. This type mismatch causes an out-of-bounds heap write that can lead to denial of service (process crash) and potential memory corruption."}],"affected":[{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 10","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"gstreamer1-plugins-bad-free","defaultStatus":"affected","cpes":["cpe:/o:redhat:enterprise_linux:10"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 6","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"gstreamer-plugins-bad-free","defaultStatus":"affected","cpes":["cpe:/o:redhat:enterprise_linux:6"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 7","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"gstreamer1-plugins-bad-free","defaultStatus":"affected","cpes":["cpe:/o:redhat:enterprise_linux:7"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 7","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"gstreamer-plugins-bad-free","defaultStatus":"affected","cpes":["cpe:/o:redhat:enterprise_linux:7"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 8","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"gstreamer1-plugins-bad-free","defaultStatus":"affected","cpes":["cpe:/o:redhat:enterprise_linux:8"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 9","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"gstreamer1-plugins-bad-free","defaultStatus":"affected","cpes":["cpe:/o:redhat:enterprise_linux:9"]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-59691","tags":["vdb-entry","x_refsource_REDHAT"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2497343","name":"RHBZ#2497343","tags":["issue-tracking","x_refsource_REDHAT"]},{"url":"https://gitlab.freedesktop.org/gstreamer/gstreamer-security/-/merge_requests/100"},{"url":"https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5173"}],"datePublic":"2026-07-08T00:00:00.000Z","problemTypes":[{"descriptions":[{"cweId":"CWE-787","description":"Out-of-bounds Write","lang":"en","type":"CWE"}]}],"x_redhatCweChain":"CWE-787: Out-of-bounds Write","workarounds":[{"lang":"en","value":"There is no complete mitigation for this vulnerability. The following measures can reduce risk:\n\n1. Do not connect GStreamer pipelines using rfbsrc to untrusted or unknown VNC servers.\n2. If the rfbsrc plugin is not required, remove the librfb plugin shared object from the GStreamer plugins directory (typically /usr/lib64/gstreamer-1.0/libgstrfbsrc.so).\n3. Network-level controls (firewall rules) can restrict outbound VNC connections to trusted servers only."}],"timeline":[{"lang":"en","time":"2026-07-06T00:00:00.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-07-08T00:00:00.000Z","value":"Made public."}],"credits":[{"lang":"en","value":"Red Hat would like to thank Clouditera Security (Clouditera), NSFOCUS (NSFOCUS), and Z.ai Security (Z.ai) for reporting this issue."}],"providerMetadata":{"orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat","dateUpdated":"2026-07-09T09:34:47.743Z"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-07-09T13:50:29.784295Z","id":"CVE-2026-59691","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-07-09T13:50:41.903Z"}}]}}