What is GHSA-j3jj-fwr8-4v9m?

GHSA-j3jj-fwr8-4v9m is a security advisory published by GitHub Security Advisories with High severity. A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When...

Which CVE IDs does GHSA-j3jj-fwr8-4v9m cover?

GHSA-j3jj-fwr8-4v9m covers the following CVE IDs: CVE-2026-53704. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-j3jj-fwr8-4v9m?

GHSA-j3jj-fwr8-4v9m has a CVSS v3 base score of 7.1, published by GitHub Security Advisories.

GHSA-j3jj-fwr8-4v9mHighCVSS 7.1

A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When...

Vendor

GitHub Security Advisories

Published

June 15, 2026

Last Modified

June 15, 2026

🔗 CVE IDs covered (1)

CVE-2026-53704 →

📋 Description

A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package. When processing a RealMedia file containing a specially crafted FILEINFO metadata section, the demuxer parses variable-name and variable-value pairs using re_skip_pascal_string() without validating that offsets remain within the mapped buffer. Additionally, the element count controlling the parsing loop is read from attacker-controlled data without validation, which can cause an infinite loop. A crafted RealMedia file can cause the application to crash, hang, or potentially read limited adjacent memory contents.

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-53704
https://access.redhat.com/security/cve/CVE-2026-53704
https://bugzilla.redhat.com/show_bug.cgi?id=2487614
https://github.com/advisories/GHSA-j3jj-fwr8-4v9m