CVE-2026-59691

Public on 2026-07-09
Modified on 2026-07-10
Description
A heap buffer overflow vulnerability was found in GStreamer's rfbsrc plugin. When a client connects to a malicious RFB/VNC server that advertises a 16bpp framebuffer and sends Hextile-encoded updates, the Hextile background fill path writes 32-bit pixel values into a buffer allocated for 16-bit pixels. This type mismatch causes an out-of-bounds heap write that can lead to denial of service (process crash) and potential memory corruption.
Severity
Important severity
Important
See what this means
CVSS v3 Base Score
7.1
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core gstreamer-plugins-bad-free Pending Fix
Amazon Linux 2 - Core gstreamer1-plugins-bad-free Pending Fix
Amazon Linux 2023 gstreamer1-plugins-bad-free Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H