CVE-2024-47538

CRITICAL
2024-12-12 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Dec 12, 2024 - 02:03 nvd
CRITICAL 9.8

Tags

Buffer Overflow Gstreamer

Description

GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the `vorbis_handle_identification_packet` function within `gstvorbisdec.c`. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array. The value written will always be `GST_AUDIO_CHANNEL_POSITION_NONE`. This vulnerability allows someone to overwrite the EIP address allocated in the stack. Additionally, this bug can overwrite the `GstAudioInfo` info structure. This vulnerability is fixed in 1.24.10.

Analysis

A stack buffer overflow vulnerability exists in GStreamer's Vorbis audio decoder that allows remote attackers to execute arbitrary code without authentication. The flaw occurs when processing malicious Vorbis audio files with more than 64 channels, leading to stack memory corruption and potential control over the instruction pointer (EIP). While not currently in CISA's Known Exploited Vulnerabilities catalog, the vulnerability has a critical CVSS score of 9.8 and patches are available.

Technical Context

GStreamer is a widely-used open source multimedia framework for constructing media processing pipelines, identified by CPE cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. The vulnerability manifests as a classic stack buffer overflow (CWE-121) in the vorbis_handle_identification_packet function within gstvorbisdec.c, where a fixed-size stack array of 64 elements is overflowed when processing Vorbis audio streams claiming to have more than 64 channels. This allows attackers to overwrite critical stack data including the return address and the GstAudioInfo structure, potentially leading to arbitrary code execution in the context of the application using GStreamer.

Affected Products

GStreamer versions prior to 1.24.10 are affected by this vulnerability, as confirmed by the CPE identifier cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. The vulnerability specifically impacts the Vorbis audio decoder plugin (gstvorbisdec) component. Official security information is available at https://gstreamer.freedesktop.org/security/sa-2024-0022.html, with additional technical details provided by GitHub Security Lab at https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer/. Debian has also issued security updates as documented at https://lists.debian.org/debian-lts-announce/2024/12/msg00021.html.

Remediation

Upgrade GStreamer to version 1.24.10 or later, which contains the fix for this vulnerability. The patch is available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8035.patch and should be applied immediately for systems processing untrusted media content. Until patching is possible, implement strict input validation to reject Vorbis files claiming more than 64 audio channels, isolate media processing services in sandboxed environments, and avoid processing untrusted media files in security-sensitive contexts. Organizations should reference the official security advisory at https://gstreamer.freedesktop.org/security/sa-2024-0022.html for comprehensive patching guidance.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: 0

Share

CVE-2024-47538 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy