Back to overview

CVE-2026-14935

LOW
3.7
CVSS 3.1
Description
A logic vulnerability was found in GStreamer's webrtcbin component. The _check_sdp_crypto() function contains an inverted boolean condition that causes it to accept remote SDP offers or answers that lack the required a=fingerprint attribute, while incorrectly rejecting those that include it. An attacker with the ability to intercept and modify WebRTC signaling messages could exploit this to bypass the SDP-level DTLS certificate fingerprint binding, weakening defenses against man-in-the-middle attacks on media streams.

Metadata

CVE ID
CVE-2026-14935
State
PUBLISHED
Assigner
redhat
Reserved
2026-07-07 11:25 UTC
Published
2026-07-07 15:37 UTC
Last updated
2026-07-07 16:13 UTC
Primary CWE
CWE-670
Always-Incorrect Control Flow Implementation
Vendor / Product
Red Hat / Red Hat Enterprise Linux 10
Sources
cve.org  ·  NVD

Severity & Metrics

3.7 LOW CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (6)
VendorProductPlatformVersions
Red Hat Red Hat Enterprise Linux 10
Red Hat Red Hat Enterprise Linux 6
Red Hat Red Hat Enterprise Linux 7
Red Hat Red Hat Enterprise Linux 7
Red Hat Red Hat Enterprise Linux 8
Red Hat Red Hat Enterprise Linux 9
Weakness (CWE)
CWESourceDescription
CWE-670 cna Always-Incorrect Control Flow Implementation
CVSS scores (1)
ScoreSeverityVersionSourceVector
3.7 LOW 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Back to overview