Vulnerability
During the periodic scanning of the local media, gst-hybris gets loaded by Gstreamer, a media framework, to perform HW-accelerated video decoding. gst-hybris expected the rendering element ("sink") to be HW-accelerated as well, but media scanning does not use HW-accelerated rendering. This results in memory corruption, which could potentially be exploited by a specifically-crafted media.
Info
The pipeline constructing process of Gstreamer is dynamic; it can automatically pick the demuxer, decoder(s), and sink(s) based on the file type, file content, and component's capability. In this case, Gstreamer picks gst-hybris' HW-accelerated decoder as the decoder, but "fakesink" as the sink (as the scanner only wants to know certain metadata).
Now, to perform HW-accelerated video rendering, gst-hybris has a dedicated sink which co-operate with the decoder in order to pass decoded video frame without copying the memory. When Gstreamer connects the decoder with the sink, the decoder can access the sink to perform necessary co-ordination. However, the decoder forgot to check if the sink it accesses is the one it can co-operate, which results in the code writing into the memory it's not supposed to access.
In order for this to be exploited, the video has to be on the device, which subsequently leads to it being scanned. Video playback in other cases is not affected, as they always use HW-accelerated video rendering.
CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
Severity: Medium
Affected versions
Affected versions: All Ubuntu Touch versions up to and including 20.04 OTA-10, 24.04-1.0.
Fixed in versions: Ubuntu Touch 20.04 OTA-11 and 24.04-1.1.
Solution
Starting in Ubuntu Touch 20.04 OTA-11 and 24.04-1.1, gst-hybris checks the type of the sink before casting to the expected type.
Fixed in: https://gitlab.com/ubports/development/core/hybris-support/gst-hybris/-/commit/58bb0e1ba2169bd85ac0930bf074ab865553356f
Recommendations
Update your device to Ubuntu Touch 20.04 OTA-11, 24.04-1.1 or newer.
Do not download videos from untrusted sources.
Timeline
The issue was discovered on 30 September 2025, during a debugging of another issue.
The issue was discovered before the release of Ubuntu Touch 24.04-1.0, but we did not manage to work it through and fix it in time for that release.
Ubuntu Touch 20.04 OTA-11 and 24.04-1.1 was released on 1 December 2025, coordinated with the publication of this advisory.
Credit
Reported-by: Ratchanan Srirattanamet
Patched-by: Ratchanan Sirrattanamet
