CVE-2019-9928

HIGH
2019-04-24 [email protected]
8.8
CVSS 3.0
Share

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
CVE Published
Apr 24, 2019 - 15:29 nvd
HIGH 8.8

Tags

RCE Buffer Overflow Gstreamer Debian Linux Ubuntu Linux

Description

GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP connection parser via a crafted response from a server, potentially allowing remote code execution.

Analysis

A heap-based buffer overflow vulnerability exists in GStreamer's RTSP connection parser that allows remote attackers to execute arbitrary code by sending a specially crafted response from a malicious RTSP server. The vulnerability affects all GStreamer versions prior to 1.16.0 and requires user interaction (connecting to a malicious server), with a CVSS score of 8.8 indicating high severity. While no active exploitation has been confirmed (not in KEV), the vulnerability has been publicly disclosed with security advisories available, and the attack vector is relatively straightforward for attackers with RTSP protocol knowledge.

Technical Context

GStreamer is a widely-used open-source multimedia framework that handles various media formats and protocols, including RTSP (Real Time Streaming Protocol) commonly used for streaming video content. The vulnerability stems from improper bounds checking in the RTSP connection parser, classified as CWE-787 (Out-of-bounds Write), where the parser fails to validate the size of incoming data before copying it to a heap buffer. Based on the CPE data, the core affected product is GStreamer itself (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*) with versions before 1.16.0, and the vulnerability has been integrated into several Linux distributions including Debian 8.0 and 9.0, Ubuntu 16.04 LTS, 18.04 LTS, and 18.10.

Affected Products

GStreamer versions prior to 1.16.0 are vulnerable to this heap-based buffer overflow (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*). The vulnerability affects multiple Linux distributions that package GStreamer, including Debian Linux 8.0 and 9.0, Ubuntu 16.04 LTS, 18.04 LTS, and 18.10, as well as openSUSE and Gentoo Linux. The official GStreamer security advisory is available at https://gstreamer.freedesktop.org/security/sa-2019-0001.html, with distribution-specific advisories published by Debian (DSA-4437), Ubuntu (USN-3958-1), and various other vendors linked in the references.

Remediation

Upgrade GStreamer to version 1.16.0 or later as detailed in the official security advisory at https://gstreamer.freedesktop.org/security/sa-2019-0001.html. For distribution-packaged versions, apply the vendor-specific security updates: Debian users should reference DSA-4437 (https://www.debian.org/security/2019/dsa-4437), Ubuntu users should apply USN-3958-1 (https://usn.ubuntu.com/3958-1/), and openSUSE users should consult their respective security announcements. As a temporary mitigation until patching is complete, avoid connecting GStreamer-based applications to untrusted RTSP servers and consider implementing network segmentation to restrict RTSP connections to known, trusted sources only.

Priority Score

61
Low Medium High Critical
KEV: 0
EPSS: +17.3
CVSS: +44
POC: 0

Share

CVE-2019-9928 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy