No advisories yet.
Solution
No solution given by the vendor.
Workaround
There is no complete mitigation for this vulnerability. The following measures can reduce risk: 1. Ensure WebRTC signaling channels use TLS encryption to prevent SDP modification in transit. 2. If WebRTC functionality is not required, remove the webrtcbin plugin shared object from the GStreamer plugins directory (typically /usr/lib64/gstreamer-1.0/libgstwebrtc.so).
Tue, 07 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 07 Jul 2026 16:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. An attacker with the ability to intercept and modify WebRTC signaling messages could exploit this to bypass the SDP-level DTLS certificate fingerprint binding, weakening defenses against man-in-the-middle attacks on media streams. | |
| Title | Gstreamer: gstreamer: webrtcbin accepts remote sdp without a=fingerprint due to inverted presence check | |
| First Time appeared |
Redhat
Redhat enterprise Linux |
|
| Weaknesses | CWE-670 | |
| CPEs | cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9 |
|
| Vendors & Products |
Redhat
Redhat enterprise Linux |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2026-07-07T16:13:27.854Z
Reserved: 2026-07-07T11:25:35.489Z
Link: CVE-2026-14935
Updated: 2026-07-07T16:13:24.266Z
No data.
No data.
OpenCVE Enrichment
No data.