GStreamer CVE-2021-3522
MEDIUMSeverity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
GStreamer before 1.18.4 may perform an out-of-bounds read when handling certain ID3v2 tags.
AnalysisAI
GStreamer versions prior to 1.18.4 contain an out-of-bounds read vulnerability when processing malformed ID3v2 tags, potentially leading to denial of service through information disclosure or application crash. The vulnerability affects GStreamer itself and multiple NetApp products (Active IQ Unified Manager, E-Series Santricity, OnCommand suite, and HCI Management Node) that embed or depend on GStreamer libraries. An attacker can trigger this vulnerability by crafting a malicious audio file with specially formatted ID3v2 metadata and providing it to an application that uses the affected GStreamer library, though the EPSS score of 0.13% (32nd percentile) suggests limited real-world exploitation likelihood despite the moderate CVSS 5.5 rating.
Technical ContextAI
The vulnerability exists in GStreamer's ID3v2 tag parsing implementation (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*), a widely-used multimedia framework. ID3v2 is a metadata container standard embedded in audio files, primarily MP3s. The root cause is classified as CWE-125 (Out-of-bounds Read), occurring when the parser fails to properly validate tag boundary lengths before attempting memory access. An attacker crafts an ID3v2 tag with malformed frame size or offset values that cause the parser to read beyond allocated buffer boundaries. This affects downstream consumers including NetApp products: Active IQ Unified Manager (VMware vSphere and Windows variants), E-Series Santricity OS Controller, Santricity Storage Manager, Santricity Web Services Proxy, HCI Management Node, OnCommand Insight, OnCommand Workflow Automation, and Santricity Unified Manager, all of which process audio or multimedia content that may contain ID3v2 metadata.
RemediationAI
Upgrade GStreamer to version 1.18.4 or later from the official GStreamer project repository. NetApp customers should apply the vendor patch documented in advisory ntap-20211022-0004 (https://security.netapp.com/advisory/ntap-20211022-0004/), which includes updates for all affected products. For Red Hat/CentOS systems, update GStreamer packages via yum/dnf repositories (see Red Hat BZ#1954761 at https://bugzilla.redhat.com/show_bug.cgi?id=1954761). Gentoo users should follow the GLSA 202208-31 guidance. If immediate patching is unavailable, mitigate by restricting user access to untrusted audio files in environments where GStreamer processes user-supplied media, implementing file type validation to reject suspicious ID3v2 structures, and monitoring for crashes in GStreamer-dependent applications. Validate ID3v2 tags using dedicated metadata validators before processing.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today