What is the CVSS score of CVE-2024-47539?

CVE-2024-47539 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Gstreamer are affected by CVE-2024-47539?

Organizations using GStreamer face critical risk from CVE-2024-47539, a out-of-bounds write vulnerability rated CVSS 9.8.. A patch is available.

How to fix or mitigate CVE-2024-47539?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. If patching is delayed, consider network segmentation to limit exposure.

Gstreamer CVE-2024-47539

CRITICAL

Out-of-bounds Write (CWE-787)

2024-12-12 security-advisories@github.com

Buffer Overflow Gstreamer

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

Patch released

Mar 17, 2026 - 20:45 nvd

Patch available

CVE Published

Dec 12, 2024 - 02:03 nvd

CRITICAL 9.8

DescriptionNVD

GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array. This vulnerability is fixed in 1.24.10.

AnalysisAI

An out-of-bounds write vulnerability in GStreamer's isomp4/qtdemux.c allows remote attackers to overwrite up to 3 bytes beyond allocated memory boundaries when processing media files. The vulnerability affects all GStreamer versions prior to 1.24.10 and can be exploited without authentication over the network, potentially leading to remote code execution. While no active exploitation has been reported (not in KEV), the vulnerability has a critical CVSS score of 9.8 and patches are available.

Technical ContextAI

GStreamer is a widely-used open-source multimedia framework for constructing media-handling pipelines, commonly deployed in Linux distributions, media players, and streaming applications. The vulnerability (CWE-787: Out-of-bounds Write) occurs in the convert_to_s334_1a function within the ISO MP4 demultiplexer component, where a logic error causes misalignment between allocated memory size and loop iteration bounds when ccpair_size is an even number. Based on the CPE identifier (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*), all versions of GStreamer prior to 1.24.10 are affected, making this a widespread issue across numerous media processing applications.

RemediationAI

Upgrade GStreamer to version 1.24.10 or later, which contains the fix for this vulnerability. The patch is available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch and should be applied immediately to all affected systems. For systems that cannot be immediately upgraded, consider implementing network-level filtering to block untrusted media files from being processed by GStreamer-based applications, particularly for internet-facing services. Debian users should refer to the security announcement at https://lists.debian.org/debian-lts-announce/2025/02/msg00035.html for distribution-specific patches.

CVE-2024-47539 vulnerability details – vuln.today

Back

Gstreamer CVE-2024-47539

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code