What is the CVSS score of CVE-2023-37328?

CVE-2023-37328 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 7.7%.

Which versions of Gstreamer are affected by CVE-2023-37328?

CVE-2023-37328 presents significant security risk, a heap-based buffer overflow vulnerability rated CVSS 8.8.

How to fix or mitigate CVE-2023-37328?

Within 7 days: Identify all affected systems and apply vendor patches promptly. If patching is delayed, consider network segmentation to limit exposure.

Gstreamer CVE-2023-37328

HIGH

Heap-based Buffer Overflow (CWE-122)

2024-05-03 zdi-disclosures@trendmicro.com

RCE Buffer Overflow Gstreamer

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

CVE Published

May 03, 2024 - 02:15 nvd

HIGH 8.8

DescriptionNVD

GStreamer PGS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the parsing of PGS subtitle files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-20994.

AnalysisAI

A heap-based buffer overflow vulnerability in GStreamer's PGS (Presentation Graphic Stream) subtitle file parser allows remote attackers to execute arbitrary code when processing malicious subtitle files. The vulnerability affects all GStreamer installations and requires user interaction to exploit, typically by opening a media file with crafted PGS subtitles. With an EPSS score of 7.71% (92nd percentile), this vulnerability represents a significant exploitation risk in the wild.

Technical ContextAI

GStreamer is a widely-used open-source multimedia framework that handles audio and video processing across numerous applications and platforms. The vulnerability resides in the PGS subtitle parsing component, where insufficient validation of user-supplied data length leads to a heap buffer overflow (CWE-122). According to the CPE data (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*), all versions of GStreamer are affected. PGS subtitles are commonly used in Blu-ray discs and digital media files, making this a broad attack surface for multimedia applications using GStreamer.

RemediationAI

Update GStreamer to the latest patched version as specified in security advisory SA-2023-0003 at https://gstreamer.freedesktop.org/security/sa-2023-0003.html. For Fedora users, apply the security updates referenced at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGQEFZ6ZB3C2XU4JQD3IAFMQIN456W2D/. As an immediate mitigation, disable PGS subtitle processing or restrict media file sources to trusted origins only. Organizations should inventory all applications using GStreamer libraries and prioritize patching based on exposure to untrusted media files.

CVE-2023-37328 vulnerability details – vuln.today

Back

Gstreamer CVE-2023-37328

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code