Skip to main content

Gstreamer CVE-2024-47539

CRITICAL
Out-of-bounds Write (CWE-787)
2024-12-12 security-advisories@github.com
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Dec 12, 2024 - 02:03 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array. This vulnerability is fixed in 1.24.10.

AnalysisAI

An out-of-bounds write vulnerability in GStreamer's isomp4/qtdemux.c allows remote attackers to overwrite up to 3 bytes beyond allocated memory boundaries when processing media files. The vulnerability affects all GStreamer versions prior to 1.24.10 and can be exploited without authentication over the network, potentially leading to remote code execution. While no active exploitation has been reported (not in KEV), the vulnerability has a critical CVSS score of 9.8 and patches are available.

Technical ContextAI

GStreamer is a widely-used open-source multimedia framework for constructing media-handling pipelines, commonly deployed in Linux distributions, media players, and streaming applications. The vulnerability (CWE-787: Out-of-bounds Write) occurs in the convert_to_s334_1a function within the ISO MP4 demultiplexer component, where a logic error causes misalignment between allocated memory size and loop iteration bounds when ccpair_size is an even number. Based on the CPE identifier (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*), all versions of GStreamer prior to 1.24.10 are affected, making this a widespread issue across numerous media processing applications.

RemediationAI

Upgrade GStreamer to version 1.24.10 or later, which contains the fix for this vulnerability. The patch is available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch and should be applied immediately to all affected systems. For systems that cannot be immediately upgraded, consider implementing network-level filtering to block untrusted media files from being processed by GStreamer-based applications, particularly for internet-facing services. Debian users should refer to the security announcement at https://lists.debian.org/debian-lts-announce/2025/02/msg00035.html for distribution-specific patches.

CVE-2016-9636 CRITICAL POC
9.8 Jan 27

Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer

CVE-2016-9635 CRITICAL POC
9.8 Jan 27

Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer

CVE-2016-9634 CRITICAL POC
9.8 Jan 27

Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer

CVE-2016-9808 HIGH POC
7.5 Jan 13

The FLIC decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of-bounds write an

CVE-2019-9928 HIGH
8.8 Apr 24

A heap-based buffer overflow vulnerability exists in GStreamer's RTSP connection parser that allows remote attackers to

CVE-2022-1920 HIGH POC
7.8 Jul 19

An integer overflow vulnerability in the GStreamer multimedia framework's matroska demuxer allows heap memory corruption

CVE-2022-2122 HIGH POC
7.8 Jul 19

A critical integer overflow vulnerability in GStreamer's qtdemux element allows attackers to trigger denial of service o

CVE-2022-1924 HIGH POC
7.8 Jul 19

A critical integer overflow vulnerability in the GStreamer multimedia framework's Matroska (MKV) demuxer can cause denia

CVE-2022-1922 HIGH POC
7.8 Jul 19

An integer overflow vulnerability in GStreamer's Matroska demuxer can cause denial of service or potentially heap memory

CVE-2022-1921 HIGH POC
7.8 Jul 19

An integer overflow vulnerability in GStreamer's AVI demux element allows attackers to trigger a heap overwrite when par

CVE-2022-1925 HIGH POC
7.8 Jul 19

A heap overflow vulnerability exists in GStreamer's matroskaparse element due to an integer overflow in the gst_matroska

CVE-2022-1923 HIGH POC
7.8 Jul 19

An integer overflow vulnerability in GStreamer's matroska demuxer can cause denial of service through segmentation fault

Share

CVE-2024-47539 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy