CVE-2024-47541
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Description
GStreamer is a library for constructing graphs of media-handling components. An OOB-write vulnerability has been identified in the gst_ssa_parse_remove_override_codes function of the gstssaparse.c file. This function is responsible for parsing and removing SSA (SubStation Alpha) style override codes, which are enclosed in curly brackets ({}). The issue arises when a closing curly bracket "}" appears before an opening curly bracket "{" in the input string. In this case, memmove() incorrectly duplicates a substring. With each successive loop iteration, the size passed to memmove() becomes progressively larger (strlen(end+1)), leading to a write beyond the allocated memory bounds. This vulnerability is fixed in 1.24.10.
Analysis
An out-of-bounds write vulnerability exists in GStreamer's SSA subtitle parser (gstssaparse.c) that occurs when malformed SubStation Alpha style override codes contain a closing curly bracket before an opening bracket. This triggers progressively larger memory writes via memmove(), leading to memory corruption and denial of service. A public proof-of-concept exploit is available from GitHub Security Lab (GHSL-2024-228), though the EPSS score remains relatively low at 0.09% (25th percentile), indicating limited observed exploitation activity in the wild.
Technical Context
GStreamer is a widely-used multimedia framework library for constructing media-handling pipelines, commonly deployed in Linux distributions, embedded systems, and desktop applications. The vulnerability affects the SSA (SubStation Alpha) subtitle format parser in the gstssaparse.c component, specifically within the gst_ssa_parse_remove_override_codes function responsible for parsing style override codes enclosed in curly brackets. This is classified as CWE-787 (Out-of-bounds Write), where improper validation of bracket ordering causes memmove() to be called with progressively increasing length parameters (strlen(end+1)) on each iteration, writing beyond allocated heap boundaries. The CPE identifier cpe:2.3:a:gstreamer:gstreamer confirms this affects the core GStreamer library.
Affected Products
GStreamer versions prior to 1.24.10 are vulnerable according to the official security advisory. The affected component is identified via CPE as cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:* with version constraints ending before 1.24.10. This impacts numerous downstream products and Linux distributions that bundle GStreamer, as evidenced by Debian LTS issuing security updates (referenced at https://lists.debian.org/debian-lts-announce/2024/12/msg00021.html). The complete vendor security advisory is available at https://gstreamer.freedesktop.org/security/sa-2024-0023.html.
Remediation
Upgrade GStreamer to version 1.24.10 or later, which contains the fix for this vulnerability as documented in the official security advisory at https://gstreamer.freedesktop.org/security/sa-2024-0023.html. The specific patch code is available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8036.patch for review or backporting purposes. Until patching is feasible, implement defense-in-depth measures including restricting GStreamer-based applications from processing untrusted subtitle files from external sources, employing application sandboxing or containerization to limit exploit impact, and disabling SSA subtitle parsing if not required for operational purposes. Linux distribution users should apply vendor-provided security updates through their package managers as they become available.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today