Gstreamer
CVE-2024-47541
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
GStreamer is a library for constructing graphs of media-handling components. An OOB-write vulnerability has been identified in the gst_ssa_parse_remove_override_codes function of the gstssaparse.c file. This function is responsible for parsing and removing SSA (SubStation Alpha) style override codes, which are enclosed in curly brackets ({}). The issue arises when a closing curly bracket "}" appears before an opening curly bracket "{" in the input string. In this case, memmove() incorrectly duplicates a substring. With each successive loop iteration, the size passed to memmove() becomes progressively larger (strlen(end+1)), leading to a write beyond the allocated memory bounds. This vulnerability is fixed in 1.24.10.
AnalysisAI
An out-of-bounds write vulnerability exists in GStreamer's SSA subtitle parser (gstssaparse.c) that occurs when malformed SubStation Alpha style override codes contain a closing curly bracket before an opening bracket. This triggers progressively larger memory writes via memmove(), leading to memory corruption and denial of service. A public proof-of-concept exploit is available from GitHub Security Lab (GHSL-2024-228), though the EPSS score remains relatively low at 0.09% (25th percentile), indicating limited observed exploitation activity in the wild.
Technical ContextAI
GStreamer is a widely-used multimedia framework library for constructing media-handling pipelines, commonly deployed in Linux distributions, embedded systems, and desktop applications. The vulnerability affects the SSA (SubStation Alpha) subtitle format parser in the gstssaparse.c component, specifically within the gst_ssa_parse_remove_override_codes function responsible for parsing style override codes enclosed in curly brackets. This is classified as CWE-787 (Out-of-bounds Write), where improper validation of bracket ordering causes memmove() to be called with progressively increasing length parameters (strlen(end+1)) on each iteration, writing beyond allocated heap boundaries. The CPE identifier cpe:2.3:a:gstreamer:gstreamer confirms this affects the core GStreamer library.
RemediationAI
Upgrade GStreamer to version 1.24.10 or later, which contains the fix for this vulnerability as documented in the official security advisory at https://gstreamer.freedesktop.org/security/sa-2024-0023.html. The specific patch code is available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8036.patch for review or backporting purposes. Until patching is feasible, implement defense-in-depth measures including restricting GStreamer-based applications from processing untrusted subtitle files from external sources, employing application sandboxing or containerization to limit exploit impact, and disabling SSA subtitle parsing if not required for operational purposes. Linux distribution users should apply vendor-provided security updates through their package managers as they become available.
Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer
Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer
Heap-based buffer overflow in the flx_decode_delta_fli function in gst/flx/gstflxdec.c in the FLIC decoder in GStreamer
The FLIC decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service (out-of-bounds write an
A heap-based buffer overflow vulnerability exists in GStreamer's RTSP connection parser that allows remote attackers to
An integer overflow vulnerability in the GStreamer multimedia framework's matroska demuxer allows heap memory corruption
A critical integer overflow vulnerability in GStreamer's qtdemux element allows attackers to trigger denial of service o
A critical integer overflow vulnerability in the GStreamer multimedia framework's Matroska (MKV) demuxer can cause denia
An integer overflow vulnerability in GStreamer's Matroska demuxer can cause denial of service or potentially heap memory
An integer overflow vulnerability in GStreamer's AVI demux element allows attackers to trigger a heap overwrite when par
A heap overflow vulnerability exists in GStreamer's matroskaparse element due to an integer overflow in the gst_matroska
An integer overflow vulnerability in GStreamer's matroska demuxer can cause denial of service through segmentation fault
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today