<Vulnerability name="CVE-2026-59692">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-08T00:00:00</PublicDate>
    <Bugzilla id="2497344" url="https://bugzilla.redhat.com/show_bug.cgi?id=2497344" xml:lang="en:us">
gstreamer: gstreamer: DTLS certificate Subject DN stack buffer overflow in openssl_verify_callback
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-121</CWE>
    <Details xml:lang="en:us" source="Mitre">
A stack buffer overflow vulnerability was found in GStreamer's DTLS plugin. During a DTLS handshake, the peer certificate Subject Distinguished Name is printed into a fixed-size 2048-byte stack buffer without bounds checking. A remote unauthenticated attacker can send a certificate with an oversized Subject DN that exceeds the buffer, causing a stack buffer overflow and process crash, resulting in denial of service.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A stack buffer overflow vulnerability was found in GStreamer's DTLS plugin. During a DTLS handshake, the peer certificate Subject Distinguished Name is printed into a fixed-size 2048-byte stack buffer without bounds checking. A remote unauthenticated attacker can send a certificate with an oversized Subject DN that exceeds the buffer, causing a stack buffer overflow and process crash, resulting in denial of service.
    </Details>
    <Statement xml:lang="en:us">
This vulnerability is rated as Important severity because it is remotely triggerable without authentication or user interaction during a DTLS handshake. However, the actual impact is limited to denial of service. Remote code execution is not achievable because X509_NAME_print_ex() escapes all binary and control characters to printable ASCII sequences, preventing arbitrary byte injection into the overflow. Combined with stack canary protection (-fstack-protector-strong) in Red Hat builds, return address corruption cannot be exploited. The DTLS plugin is shipped as part of gstreamer1-plugins-bad-free in Red Hat Enterprise Linux 8, 9, 10, and RHIVOS. It is used by GStreamer WebRTC pipelines.
    </Statement>
    <Acknowledgement xml:lang="en:us">
Red Hat would like to thank Clouditera Security (Clouditera), NSFOCUS (NSFOCUS), and Z.ai Security (Z.ai) for reporting this issue.
    </Acknowledgement>
    <Mitigation xml:lang="en:us">
There is no complete mitigation for this vulnerability. The following measures can reduce risk:

1. If WebRTC/DTLS functionality is not required, remove the DTLS plugin shared object from the GStreamer plugins directory (typically /usr/lib64/gstreamer-1.0/libgstdtls.so).
2. Restrict network access to WebRTC/DTLS endpoints to trusted peers only via firewall rules.
3. Deploy GStreamer WebRTC services behind a reverse proxy or media server that validates DTLS certificates before forwarding.
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Affected</FixState>
        <PackageName>gstreamer1-plugins-bad-free</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Affected</FixState>
        <PackageName>gstreamer-plugins-bad-free</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Affected</FixState>
        <PackageName>gstreamer1-plugins-bad-free</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Affected</FixState>
        <PackageName>gstreamer-plugins-bad-free</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Affected</FixState>
        <PackageName>gstreamer1-plugins-bad-free</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Affected</FixState>
        <PackageName>gstreamer1-plugins-bad-free</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-59692
https://nvd.nist.gov/vuln/detail/CVE-2026-59692
https://gitlab.freedesktop.org/gstreamer/gstreamer-security/-/merge_requests/99
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5172
    </References>
</Vulnerability>