Red Hat Product Errata RHSA-2026:9487 - Security Advisory
Issued:
2026-04-21
Updated:
2026-04-21

RHSA-2026:9487 - Security Advisory

Synopsis

Important: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for multiple packages is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer.

Security Fix(es):

  • GStreamer: GStreamer: Remote Code Execution via heap-based buffer overflow in JPEG parser (CVE-2026-3082)
  • GStreamer: GStreamer: Remote Code Execution via Heap-based Buffer Overflow in rtpqdm2depay (CVE-2026-3085)
  • GStreamer: GStreamer: Arbitrary code execution via RIFF palette integer overflow in AVI file handling (CVE-2026-2921)
  • GStreamer: GStreamer: Remote Code Execution via Out-Of-Bounds Write in rtpqdm2depay (CVE-2026-3083)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server - AUS 8.2 x86_64

Fixes

  • BZ - 2447492 - CVE-2026-3082 GStreamer: GStreamer: Remote Code Execution via heap-based buffer overflow in JPEG parser
  • BZ - 2447495 - CVE-2026-3085 GStreamer: GStreamer: Remote Code Execution via Heap-based Buffer Overflow in rtpqdm2depay
  • BZ - 2447496 - CVE-2026-2921 GStreamer: GStreamer: Arbitrary code execution via RIFF palette integer overflow in AVI file handling
  • BZ - 2447498 - CVE-2026-3083 GStreamer: GStreamer: Remote Code Execution via Out-Of-Bounds Write in rtpqdm2depay

Red Hat Enterprise Linux Server - AUS 8.2

SRPM
gstreamer1-plugins-bad-free-1.16.1-4.el8_2.src.rpm SHA-256: 288f355aa42634884195a92e8f3ae7ee2ce1b3bef3395f45931af4dabdb2bd50
gstreamer1-plugins-base-1.16.1-3.el8_2.src.rpm SHA-256: ab95744bfb7f3c54938800b8ea503aff105cebbf03aae563c847fb8253f3060d
gstreamer1-plugins-good-1.16.1-3.el8_2.src.rpm SHA-256: 512ab7250629da68afe747976778a4667a3543f78eba20e5e37680a0e7a28167
x86_64
gstreamer1-plugins-bad-free-1.16.1-4.el8_2.i686.rpm SHA-256: 0ad1022909223408fd20f1d42f5e1201f9f6a4ea93f3f11ff5eaba65a6b27581
gstreamer1-plugins-bad-free-1.16.1-4.el8_2.x86_64.rpm SHA-256: a491e38a70077d4dd6865aa1dba993268a45f8ecb2624f2ff8b576958b32c5cf
gstreamer1-plugins-bad-free-debuginfo-1.16.1-4.el8_2.i686.rpm SHA-256: e29c494982b961b0b18096968566dcfe0775a219cf20ebed0016cc8b4b00f2a0
gstreamer1-plugins-bad-free-debuginfo-1.16.1-4.el8_2.x86_64.rpm SHA-256: 1650596d59562862d675c082025bb0d36e73ac4b6f8f0053958a9e8c01be0567
gstreamer1-plugins-bad-free-debugsource-1.16.1-4.el8_2.i686.rpm SHA-256: 30a83367795e2b1838328e8d27602847abfaa160ed50fb0c1d3781fc092eebae
gstreamer1-plugins-bad-free-debugsource-1.16.1-4.el8_2.x86_64.rpm SHA-256: dddda0654cfd6017309d01a2ccffb2e77fcaa099ae9d0a516837751c3499ddd2
gstreamer1-plugins-base-1.16.1-3.el8_2.i686.rpm SHA-256: 416dc60242efe61c68db4f0983c6e75393f9e83cb93c341fead1a7fedb61b454
gstreamer1-plugins-base-1.16.1-3.el8_2.x86_64.rpm SHA-256: ed53d8a8324bb7ade8c1b889ccabbf397432caa841290ee092b0d172fda8fbfd
gstreamer1-plugins-base-debuginfo-1.16.1-3.el8_2.i686.rpm SHA-256: aca518445a448822425ff67f244cb88cf72b760788b0c7501b6344cb0b7a553e
gstreamer1-plugins-base-debuginfo-1.16.1-3.el8_2.x86_64.rpm SHA-256: df7c2e576bf13f02d0d6f81bae741a076c26bea1aff62ce7ab5f49988d99b339
gstreamer1-plugins-base-debugsource-1.16.1-3.el8_2.i686.rpm SHA-256: 8bd4410a77d1b0f07232604be438d33e3575b013885fede77cab7070029980c9
gstreamer1-plugins-base-debugsource-1.16.1-3.el8_2.x86_64.rpm SHA-256: 93d7cf894497226ce6441775022d214fa9377519cf72703f3ae7635758d7e260
gstreamer1-plugins-base-devel-1.16.1-3.el8_2.i686.rpm SHA-256: a541b378b2c58c2cae620523edf84c6c14bf23294535e892503c2f976c017106
gstreamer1-plugins-base-devel-1.16.1-3.el8_2.x86_64.rpm SHA-256: 2b9f3525c309081676c131cba730ceab11432d73ffb1257db0fc17c4b6073910
gstreamer1-plugins-base-tools-debuginfo-1.16.1-3.el8_2.i686.rpm SHA-256: 70e45581501a17459a2c0162b642349de37ececd2cace5dce22879710d7fb085
gstreamer1-plugins-base-tools-debuginfo-1.16.1-3.el8_2.x86_64.rpm SHA-256: ebd47d95e25c516ec0bca376bcb682a2b5648116f79df0c55346db67b8fafe57
gstreamer1-plugins-good-1.16.1-3.el8_2.i686.rpm SHA-256: 0c0d8941400117b277bd86fbe8a0c2229d4bfea1b8793394daf4d8b6296dd40b
gstreamer1-plugins-good-1.16.1-3.el8_2.x86_64.rpm SHA-256: 28a108230fd363156d5ac6704589f788bc1af349604c3b1accda0d76c8179567
gstreamer1-plugins-good-debuginfo-1.16.1-3.el8_2.i686.rpm SHA-256: 1156861a38ed22c5d93936fcdcab8060e678afe57eaecc3e9790e136b1f1021d
gstreamer1-plugins-good-debuginfo-1.16.1-3.el8_2.x86_64.rpm SHA-256: 90e10385ce4e0ddaa71b49f0ce017245825b76d1633c3a8c3cdd46b7fbc7ff1f
gstreamer1-plugins-good-debugsource-1.16.1-3.el8_2.i686.rpm SHA-256: b87b659edbffca63b4217fe0473ae810d19b5b53fa8f702488055726a2943a72
gstreamer1-plugins-good-debugsource-1.16.1-3.el8_2.x86_64.rpm SHA-256: 9a2338e8b00362d64857da1fd8256445eaeb3552a4c4f7509ce4c9d73b8aba2c
gstreamer1-plugins-good-gtk-1.16.1-3.el8_2.i686.rpm SHA-256: b8c4e771685cf8fb2168cb939a563da17a7526f8972c4f5d127b276b0a3278f5
gstreamer1-plugins-good-gtk-1.16.1-3.el8_2.x86_64.rpm SHA-256: bbbbdd48c1f74fc108e28f9c5634c24346b615b09172578b606c4e920feadb72
gstreamer1-plugins-good-gtk-debuginfo-1.16.1-3.el8_2.i686.rpm SHA-256: ac0b064d2489413fce83f76e6a6868138c574ca0cfd3dd13d6a780487def91d5
gstreamer1-plugins-good-gtk-debuginfo-1.16.1-3.el8_2.x86_64.rpm SHA-256: f1a8fe0811b544f2c1e9ac771dc6a4e2f11b72c9151a8584726d26f04a4d4e74

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.