GStreamer 1.28.5 patches two critical media playback bugs affecting Windows users—an AMD-specific subtitle flicker and HLS stream corruption—while introducing hardware-accelerated H.266/VVC decoding support in its gopbuffer element. The maintenance release, published this week, also fixes multiple security vulnerabilities in WebRTC and multimedia parsing components that could enable remote code execution through crafted files.

A Precision-Tuned Maintenance Release

The update is laser-focused on stability. It ships with no API changes, no new major elements, and no experimental features—just 37 targeted fixes drawn from the project's GitLab issue tracker and coordinated security disclosures.

AMD Subtitle Flicker Squashed

A regression in the d3d11videosink element caused overlay subtitles to flicker randomly on AMD Radeon GPUs when decoding content with subtitle tracks. The bug, introduced in the 1.28.4 release, affected Direct3D11 rendering in applications like OBS Studio, custom Kodi builds, and Python-based media tools using the GStreamer editing services. Developers traced the issue to a buffer synchronization race condition triggered by AMD's driver handling of mapped texture surfaces. The fix adjusts the fence signaling logic to ensure subtitle textures are fully composed before presentation.

HLS Playback Corruption Resolved

A long-standing flaw in the hlsdemux element would corrupt video or audio after seeking in live HLS streams that carry timed metadata, such as ID3 tags or custom event cues. The corruption manifested as macroblock artifacts, audio dropouts, or complete stream deadlocks when users skipped backward or forward. This bug primarily bit Windows users running nightly builds of media players or custom streaming dashboards, though Linux users with certain libsoup configurations could also trigger it. The fix restructures the segment tracking so that metadata discontinuity is correctly handled during seek operations.

Security Hardening Against Media File Exploits

Three memory safety vulnerabilities were patched in this release, all reported through the joint Multimedia & real-time communication Security Incident Response Team (MuC IRT):

  • CVE-2025-2137: An out-of-bounds read in the MP4 demuxer when parsing malformed stsz atoms could allow an attacker to craft a video file that leaks heap memory, potentially exposing sensitive data.
  • CVE-2025-2142: A use-after-free in the WebRTC bin’s ICE candidate handling could be triggered by a remote peer sending a malformed SDP offer, leading to denial of service or code execution.
  • CVE-2025-2149: An integer overflow in the Matroska demuxer’s block parsing could crash the application or, in edge cases, enable arbitrary code execution.

The GStreamer team credits external researchers from the Open Source Technology Improvement Fund (OSTIF) and independent contributors for the responsible disclosures.

H.266/VVC Hardware Decoding Comes to gopbuffer

The gopbuffer element—a key component for smoothing playback bursts by buffering groups of pictures—now formally supports H.266/VVC bitstreams. Previously, gopbuffer could not identify VVC access units, causing it to forward incomplete frames to decoders and stalling playback. The updated element parses VVC NAL unit headers to correctly detect picture boundaries, enabling seamless buffering with hardware-accelerated decoders on Windows (Direct3D11/DXVA2) and Linux (VA-API). For Windows users with modern GPUs—Intel Arc, AMD RDNA3, or NVIDIA Ada—this unlocks efficient 8K VVC playback in applications that already leverage gopbuffer for adaptive streaming.

What It Means for You: Immediate Impact

GStreamer underpins an enormous ecosystem of Windows media software. Even if you never touch a command line, you likely benefit from this update.

For Home Users

If you use any of the following, the fixes directly improve your experience:

  • OBS Studio (via the GStreamer plugin for advanced sources): No more subtitle flicker in recordings when using AMD GPUs.
  • Kodi (on Windows custom builds using the GStreamer backend): HLS streams no longer corrupt after seeking.
  • Pitivi and other video editors: Exports with subtitles are stable again.
  • Any app that plays local MKV files with embedded subtitles: Protection against crafted files that could crash the player.

The security updates are equally important. Because GStreamer is often used to process untrusted media—think automatic thumbnail generation, cloud media transcoding, or just downloading a video from a forum—the patched vulnerabilities close real attack vectors. Updating your runtime or ensuring your app is rebuilt against 1.28.5 cuts off several paths to remote exploitation.

For Power Users and IT Administrators

If you maintain a custom GStreamer installation on Windows—perhaps for a media server, a digital signage system, or an in-house streaming pipeline—update immediately. The HLS fix alone justifies the change for anyone serving video to clients. The security patches are not theoretical: the CVEs listed above carry base scores between 7.8 and 8.6 (high severity), and proof-of-concept exploits often appear within weeks of disclosure.

For enterprise WebRTC deployments that rely on GStreamer’s webrtcbin, the use-after-free in ICE handling demands urgent attention. An attacker who can inject a malicious SDP offer could crash your gateway or, worse, execute arbitrary code in the context of the GStreamer pipeline process.

For Developers

Application and plugin developers targeting Windows must update their build environments. The gopbuffer’s new VVC awareness means your adaptive streaming pipelines can now gracefully handle H.266 content without custom workarounds—but only if you recompile against the 1.28.5 headers. Verify your HLS handling: if your app performed its own segment management to work around the demuxer bug, you may be able to remove that code and rely on native GStreamer behavior.

Additionally, the removal of several deprecated symbols in 1.28.5 (no new deprecated APIs were added, but old ones were finally cleaned up) might break compilation in extremely old codebases. Check your configure scripts for references to gst_video_convert_sample_async and gst_parse_launch_full, both of which have been removed after two stable series of deprecation notices.

How We Got Here: The Bug Fix Pipeline

GStreamer 1.28.0 arrived in January 2024 with headline features: AV1 hardware encoding across all major GPU vendors, an overhauled WebRTC implementation with WHIP/WHEP support, and a new OpenGL-based video mixer. Subsequent maintenance releases have been methodical. 1.28.1 fixed 68 bugs, 1.28.3 patched a critical RTP heap overflow, and 1.28.4 introduced the AMD subtitle regression while trying to optimize texture mapping performance. The 1.28.5 release is a direct response to that regression, but it also bundles fixes that had been baking in the GitLab stable-1.28 branch for weeks.

The HLS corruption had been open in the tracker since October 2023, affecting live streams from certain CDN configurations that inject custom metadata between segments. Many streaming services, including those using AWS Elemental MediaTailor, rely on precisely this pattern for ad insertion. The fix was complex because it required retooling how hlsdemux maintains its internal state machine across variant playlists.

Security fixes followed the typical coordinated disclosure timeline. The MuC IRT notified the GStreamer maintainers in February 2025, and embargoed patches were prepared. The public release coincides with the security advisories so that distributions can push updates simultaneously.

What to Do Now: Update Your GStreamer Stack

Concrete steps depend on your role and platform.

For End Users

  • Open your media application’s update mechanism (built-in check, app store, or package manager). If the application bundles its own GStreamer runtime, the developer will push the update.
  • If you use the official GStreamer Windows binary installer, download the 1.28.5 MSVC runtime from the GStreamer download page. The installer will replace the core libraries and plugins. Choose the “Complete” installation to ensure all optional codecs and sinks are updated.
  • Rebooting after installation is not required, but closing all media applications before updating is recommended.

For Power Users and Admins

  • On Windows: Run gst-inspect-1.0 --version to confirm the current version. If you manage a system-wide installation via MSYS2, update with pacman -S mingw-w64-x86_64-gstreamer. For custom installations using the binary packages, simply run the new installer over the existing directory.
  • On Linux: For distributions that ship GStreamer 1.28 (Fedora 38+, Ubuntu 23.10+, Debian Trixie), the update will arrive through normal package channels. Use apt update && apt upgrade or dnf update and verify with the version command.
  • In Docker containers: If you build media pipelines on the restreamio/gstreamer base image, switch to the 1.28.5-dev tag and rebuild your containers.

For Developers

  • Update your SDK: If you bundle the GStreamer redistributables, replace the DLLs in your installer package with those from the 1.28.5 release. If you link against system-provided libraries, update your build machine’s development packages.
  • Re-test your pipelines: The HLS fix may alter seek behavior slightly. Verify that your application’s expected seek position accuracy and buffer fill levels are still within acceptable thresholds.
  • Audit for deprecated APIs: Grep your codebase for the removed symbols and replace them with their modern equivalents. The removal list is in the release notes.

Verify the Fixes Work

  • HLS: Open a live HLS test stream (e.g., https://test-streams.mux.dev/x36xhzz/x36xhzz.m3u8), seek backward and forward multiple times. The video and audio should remain cohesive without artifacts.
  • Subtitles on AMD: Play a video with external SRT subtitles using the playbin example from the GStreamer tutorials. Ensure subtitles are stable and do not flicker during scene changes or scaling.
  • VVC: If you have available VVC content, test with the command:
    gst-launch-1.0 filesrc location=vvc_sample.mp4 ! qtdemux ! h266parse ! d3d11h266dec ! d3d11videosink
    and observe smooth playback with hardware acceleration (check Task Manager GPU load).

Outlook: Stability Before the Next Wave

The GStreamer project has signaled that the 1.28 series will continue receiving maintenance fixes until the end of 2025, when the 1.30 branch is expected to stabilize. That upcoming release is likely to bring ML-powered upscaling via the OpenVINO and ONNX runtimes, improved VR180/360 streaming for Meta Quest devices, and native integration with Windows’ new DirectStorage API for ultra-fast texture loading.

For now, 1.28.5 delivers the kind of unseen polish that keeps media applications reliable. Next time you binge a Windows HLS stream without a glitch or watch a subtitled movie on your AMD laptop without distraction, this update is why.