CVE-2026-14935 PUBLISHED

Gstreamer: gstreamer: webrtcbin accepts remote sdp without a=fingerprint due to inverted presence check

Assigner: redhat
Reserved: 07.07.2026 Published: 07.07.2026 Updated: 07.07.2026

A logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. An attacker with the ability to intercept and modify WebRTC signaling messages could exploit this to bypass the SDP-level DTLS certificate fingerprint binding, weakening defenses against man-in-the-middle attacks on media streams.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 3.7

Product Status

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux 6
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux 7
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux 7
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux 8
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux 9
Versions Default: affected

Workarounds

There is no complete mitigation for this vulnerability. The following measures can reduce risk:

  1. Ensure WebRTC signaling channels use TLS encryption to prevent SDP modification in transit.
  2. If WebRTC functionality is not required, remove the webrtcbin plugin shared object from the GStreamer plugins directory (typically /usr/lib64/gstreamer-1.0/libgstwebrtc.so).

Credits

  • Red Hat would like to thank Clouditera Security (Clouditera), NSFOCUS (NSFOCUS), and Z.ai Security (Z.ai) for reporting this issue.

References

Problem Types

  • Always-Incorrect Control Flow Implementation CWE