GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.
