{"id":"USN-7558-1","summary":"gst-plugins-bad1.0 vulnerabilities","details":"It was discovered that the AV1 codec plugin in GStreamer could be made\nto write out of bounds. An attacker could possibly use this issue to\ncause applications using the plugin to crash, resulting in a denial of\nservice, or possibly execute arbitrary code. This issue only affected\nUbuntu 22.04 LTS. (CVE-2023-50186, CVE-2024-0444)\n\nIt was discovered that the H265 codec plugin in GStreamer could be made\nto write out of bounds. An attacker could possibly use this issue to\ncause applications using the plugin to crash, resulting in a denial of\nservice, or possibly execute arbitrary code. (CVE-2025-3887)\n","modified":"2026-02-10T04:48:59Z","published":"2025-06-05T15:12:20Z","related":["UBUNTU-CVE-2023-50186","UBUNTU-CVE-2024-0444","UBUNTU-CVE-2025-3887"],"upstream":["CVE-2023-50186","CVE-2024-0444","CVE-2025-3887","UBUNTU-CVE-2023-50186","UBUNTU-CVE-2024-0444","UBUNTU-CVE-2025-3887"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7558-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-50186"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-0444"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-3887"}],"affected":[{"package":{"name":"gst-plugins-bad1.0","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/gst-plugins-bad1.0@1.16.3-0ubuntu1.1+esm1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.16.3-0ubuntu1.1+esm1"}]}],"versions":["1.16.1-1ubuntu1","1.16.1-1ubuntu3","1.16.1-1ubuntu4","1.16.1-1ubuntu5","1.16.1-1ubuntu6","1.16.1-1ubuntu8","1.16.2-1ubuntu1","1.16.2-1ubuntu2","1.16.2-2ubuntu1","1.16.2-2.1ubuntu1","1.16.3-0ubuntu1","1.16.3-0ubuntu1.1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"1.16.3-0ubuntu1.1+esm1","binary_name":"gir1.2-gst-plugins-bad-1.0"},{"binary_version":"1.16.3-0ubuntu1.1+esm1","binary_name":"gstreamer1.0-opencv"},{"binary_version":"1.16.3-0ubuntu1.1+esm1","binary_name":"gstreamer1.0-plugins-bad"},{"binary_version":"1.16.3-0ubuntu1.1+esm1","binary_name":"libgstreamer-opencv1.0-0"},{"binary_version":"1.16.3-0ubuntu1.1+esm1","binary_name":"libgstreamer-plugins-bad1.0-0"},{"binary_version":"1.16.3-0ubuntu1.1+esm1","binary_name":"libgstreamer-plugins-bad1.0-dev"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:20.04:LTS","cves":[{"id":"CVE-2025-3887","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"high"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7558-1.json"}},{"package":{"name":"gst-plugins-bad1.0","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/gst-plugins-bad1.0@1.20.3-0ubuntu1.1+esm2?arch=source&distro=esm-apps/jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.20.3-0ubuntu1.1+esm2"}]}],"versions":["1.18.5-1ubuntu1","1.18.5-1ubuntu3","1.20.0-2ubuntu2","1.20.1-1ubuntu2","1.20.3-0ubuntu1","1.20.3-0ubuntu1.1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"1.20.3-0ubuntu1.1+esm2","binary_name":"gir1.2-gst-plugins-bad-1.0"},{"binary_version":"1.20.3-0ubuntu1.1+esm2","binary_name":"gstreamer1.0-opencv"},{"binary_version":"1.20.3-0ubuntu1.1+esm2","binary_name":"gstreamer1.0-plugins-bad"},{"binary_version":"1.20.3-0ubuntu1.1+esm2","binary_name":"gstreamer1.0-plugins-bad-apps"},{"binary_version":"1.20.3-0ubuntu1.1+esm2","binary_name":"gstreamer1.0-wpe"},{"binary_version":"1.20.3-0ubuntu1.1+esm2","binary_name":"libgstreamer-opencv1.0-0"},{"binary_version":"1.20.3-0ubuntu1.1+esm2","binary_name":"libgstreamer-plugins-bad1.0-0"},{"binary_version":"1.20.3-0ubuntu1.1+esm2","binary_name":"libgstreamer-plugins-bad1.0-dev"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:22.04:LTS","cves":[{"id":"CVE-2023-50186","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2024-0444","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2025-3887","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"high"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7558-1.json"}},{"package":{"name":"gst-plugins-bad1.0","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/gst-plugins-bad1.0@1.24.2-1ubuntu4+esm1?arch=source&distro=esm-apps/noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.24.2-1ubuntu4+esm1"}]}],"versions":["1.22.4-1ubuntu1","1.22.4-1ubuntu2","1.22.4-1ubuntu4","1.22.9-2ubuntu1","1.24.0-1ubuntu3","1.24.0-1ubuntu4","1.24.2-1ubuntu4"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"1.24.2-1ubuntu4+esm1","binary_name":"gir1.2-gst-plugins-bad-1.0"},{"binary_version":"1.24.2-1ubuntu4+esm1","binary_name":"gstreamer1.0-opencv"},{"binary_version":"1.24.2-1ubuntu4+esm1","binary_name":"gstreamer1.0-plugins-bad"},{"binary_version":"1.24.2-1ubuntu4+esm1","binary_name":"gstreamer1.0-plugins-bad-apps"},{"binary_version":"1.24.2-1ubuntu4+esm1","binary_name":"libgstreamer-opencv1.0-0"},{"binary_version":"1.24.2-1ubuntu4+esm1","binary_name":"libgstreamer-plugins-bad1.0-0"},{"binary_version":"1.24.2-1ubuntu4+esm1","binary_name":"libgstreamer-plugins-bad1.0-dev"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:Pro:24.04:LTS","cves":[{"id":"CVE-2025-3887","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"high"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7558-1.json"}}],"schema_version":"1.7.3"}