Bug#1128625: [mediastreamer2] vulnerable to CVE-2026-2447
Lyndon Brown
jnqnfe at gmail.com
Sat Feb 21 22:53:27 GMT 2026
Source: mediastreamer2
Version: 1:5.3.105+dfsg-5
Severity: grave
Dear maintainer, you may be aware of the recent high-profile security
vulnerability patched in libvpx (CVE-2026-2447).
Please be aware that while libvpx12 in the Sid archive is patched for
this, libvpx11 is not, and libmediastreamer2-14 depends upon libvpx11
not libvpx12.
This leaves users of linphone potentially vulnerable.
I've filed a bug against libvpx11 itself (#1128623). Hopefully its
maintainer will backport patches. Otherwise please can you look at
patching mediastreamer2 to use libvpx12.
More information about the Pkg-voip-maintainers
mailing list