CVE-2024-4453

HIGH
2024-05-22 [email protected]
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
May 22, 2024 - 20:15 nvd
HIGH 7.8

Tags

RCE Debian Linux Gstreamer

Description

GStreamer EXIF Metadata Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of EXIF metadata. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-23896.

Analysis

An integer overflow vulnerability in GStreamer's EXIF metadata parsing functionality allows remote attackers to execute arbitrary code when processing malicious media files containing crafted EXIF data. The vulnerability affects GStreamer versions 1.24.0 and 1.24.1, requiring user interaction to trigger but potentially leading to full system compromise in the context of the running process. With an EPSS score of 3.61% (88th percentile) indicating moderate real-world exploitation likelihood and patches available, this represents a significant risk for applications using GStreamer for media processing.

Technical Context

GStreamer is a widely-used open-source multimedia framework that processes various media formats including images with EXIF metadata. The vulnerability stems from CWE-190 (Integer Overflow or Wraparound) occurring during EXIF metadata parsing, where insufficient validation of user-supplied data causes an integer overflow before buffer allocation. Based on the CPE data, specifically affected versions include GStreamer 1.24.0 and 1.24.1 (cpe:2.3:a:gstreamer:gstreamer:1.24.0 and cpe:2.3:a:gstreamer:gstreamer:1.24.1), with Debian 10 also listed as affected (cpe:2.3:o:debian:debian_linux:10.0). The Zero Day Initiative tracked this as ZDI-CAN-23896 before public disclosure as ZDI-24-467.

Affected Products

GStreamer versions 1.24.0 and 1.24.1 are confirmed vulnerable based on the CPE entries (cpe:2.3:a:gstreamer:gstreamer:1.24.0 and cpe:2.3:a:gstreamer:gstreamer:1.24.1). Debian Linux 10.0 is also affected according to the CPE data (cpe:2.3:o:debian:debian_linux:10.0), with Debian issuing a security announcement at https://lists.debian.org/debian-lts-announce/2024/05/msg00019.html. The vulnerability was initially reported to the Zero Day Initiative by [email protected] and assigned ZDI-24-467, with full details available at https://www.zerodayinitiative.com/advisories/ZDI-24-467/.

Remediation

Apply the official patch available at https://gitlab.freedesktop.org/tpm/gstreamer/-/commit/e68eccff103ab0e91e6d77a892f57131b33902f5 or upgrade to a patched version of GStreamer beyond 1.24.1. Debian users should follow the guidance in https://lists.debian.org/debian-lts-announce/2024/05/msg00019.html for system-specific updates. Until patching is complete, limit GStreamer's exposure to untrusted media files, particularly those containing EXIF metadata, and consider implementing input validation or sandboxing for media processing operations to minimize potential impact.

Priority Score

43
Low Medium High Critical
KEV: 0
EPSS: +3.6
CVSS: +39
POC: 0

Share

CVE-2024-4453 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy