What is CVE-2026-1940?

CVE-2026-1940 is a medium-severity vulnerability in Freedesktop Gst-plugins-good, classified under Out-of-bounds Read. CVSS score: 5.1/10. Published 2026-03-23.

How severe is CVE-2026-1940?

Medium severity. CVSS v3 base score is 5.1 out of 10.

Out-of-bounds Read in Freedesktop Gst-plugins-good

CVE-2026-1940

An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_ROUND_UP_2(lsize) used in the actual off…

Vulnerability class: Buffer Overflow

EPSS: 0.001 (17.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.1 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L.

Affected products

Freedesktop Gst-plugins-good — versions 1.0.0
Gstreamer
Debian Debian_linux — versions 11.0, 12.0
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Redhat Enterprise_linux — versions 7.0, 8.0, 9.0

Weakness classification (CWE)

CWE-125 — Out-of-bounds Read

References

secalert@redhat.com (x_refsource_REDHAT, vdb-entry, Vendor Advisory)
RHBZ#2436932 (x_refsource_REDHAT, issue-tracking, Issue Tracking, Vendor Advisory)
secalert@redhat.com (Broken Link)
secalert@redhat.com (Vendor Advisory)
secalert@redhat.com (Third Party Advisory)

Frequently asked questions

What is CVE-2026-1940?: CVE-2026-1940 is a medium-severity vulnerability in Freedesktop Gst-plugins-good, classified under Out-of-bounds Read. CVSS score: 5.1/10. Published 2026-03-23.
How severe is CVE-2026-1940?: Medium severity. CVSS v3 base score is 5.1 out of 10.