<Vulnerability name="CVE-2026-14935">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Low</ThreatSeverity>
    <PublicDate>2026-07-07T15:25:24</PublicDate>
    <Bugzilla id="2497679" url="https://bugzilla.redhat.com/show_bug.cgi?id=2497679" xml:lang="en:us">
gstreamer: gstreamer: webrtcbin accepts remote SDP without a=fingerprint due to inverted presence check
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>3.7</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-670</CWE>
    <Details xml:lang="en:us" source="Mitre">
A logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. An attacker with the ability to intercept and modify WebRTC signaling messages could exploit this to bypass the SDP-level DTLS certificate fingerprint binding, weakening defenses against man-in-the-middle attacks on media streams.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. An attacker with the ability to intercept and modify WebRTC signaling messages could exploit this to bypass the SDP-level DTLS certificate fingerprint binding, weakening defenses against man-in-the-middle attacks on media streams.
    </Details>
    <Statement xml:lang="en:us">
This vulnerability is rated as Low severity because exploitation requires man-in-the-middle access to the WebRTC signaling channel, which is typically TLS-protected. Additionally, the DTLS layer may still independently validate certificates, limiting the practical impact of this bypass. The webrtcbin component is shipped as part of gstreamer1-plugins-bad-free in Red Hat Enterprise Linux 8, 9, 10, and RHIVOS. The vulnerability weakens one layer of defense-in-depth but does not constitute a complete cryptographic break.
    </Statement>
    <Acknowledgement xml:lang="en:us">
Red Hat would like to thank Clouditera Security (Clouditera), NSFOCUS (NSFOCUS), and Z.ai Security (Z.ai) for reporting this issue.
    </Acknowledgement>
    <Mitigation xml:lang="en:us">
There is no complete mitigation for this vulnerability. The following measures can reduce risk:

1. Ensure WebRTC signaling channels use TLS encryption to prevent SDP modification in transit.
2. If WebRTC functionality is not required, remove the webrtcbin plugin shared object from the GStreamer plugins directory (typically /usr/lib64/gstreamer-1.0/libgstwebrtc.so).
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>gstreamer1-plugins-bad-free</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>gstreamer-plugins-bad-free</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>gstreamer1-plugins-bad-free</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>gstreamer-plugins-bad-free</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>gstreamer1-plugins-bad-free</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>gstreamer1-plugins-bad-free</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-14935
https://nvd.nist.gov/vuln/detail/CVE-2026-14935
https://gitlab.freedesktop.org/gstreamer/gstreamer-security/-/merge_requests/98
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5171
    </References>
</Vulnerability>