CVE-2026-1940

Name of the Vulnerable Software and Affected Versions Versions prior to 2.3

Description An incomplete fix allows for a potential out-of-bounds read within the gst wavparse adtl chunk() function. The initial patch included a size validation check, however, it did not fully account for the offset calculation using GST ROUND UP 2(lsize). Specifically, when lsize is an odd number, the parser can advance beyond the validated boundaries, leading to an out-of-bounds read.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.