Cyber Resilience

CVE-2026-3083

HighUpdated

Published: 16 March 2026

Published
16 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0076 50.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3083 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Gstreamer Gstreamer. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GStreamer rtpqdm2depay Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the…

more

implementation. The specific flaw exists within the processing of X-QDM RTP payload elements. When parsing the packetid element, the process does not properly validate user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28850.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

OOB write in RTP packet parsing directly enables remote code execution via crafted network input (T1190) or client-side media processing (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3085Same product: Gstreamer Gstreamer
CVE-2025-47219Same product: Gstreamer Gstreamer
CVE-2026-21413Shared CWE-129
CVE-2025-69248Shared CWE-129
CVE-2026-2006Shared CWE-129
CVE-2026-25882Shared CWE-129
CVE-2026-32285Shared CWE-129
CVE-2023-52987Shared CWE-129
CVE-2026-33281Shared CWE-129
CVE-2026-23447Shared CWE-129

Affected Assets

gstreamer
gstreamer
≤ 1.28.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References