What is the CVSS score of CVE-2024-47542?

CVE-2024-47542 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Gstreamer are affected by CVE-2024-47542?

Organizations using GStreamer face notable risk from CVE-2024-47542, a out-of-bounds read vulnerability rated CVSS 7.5. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2024-47542?

Yes, a public proof-of-concept exploit is available for CVE-2024-47542. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2024-47542?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Gstreamer CVE-2024-47542

HIGH

Out-of-bounds Read (CWE-125)

2024-12-12 security-advisories@github.com

Denial Of Service Gstreamer

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

Patch released

Mar 17, 2026 - 20:45 nvd

Patch available

PoC Detected

Mar 17, 2026 - 15:52 vuln.today

Public exploit code

CVE Published

Dec 12, 2024 - 02:03 nvd

HIGH 7.5

DescriptionNVD

GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference has been discovered in the id3v2_read_synch_uint function, located in id3v2.c. If id3v2_read_synch_uint is called with a null work->hdr.frame_data, the pointer guint8 *data is accessed without validation, resulting in a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.

AnalysisAI

A null pointer dereference vulnerability exists in the GStreamer multimedia framework's ID3v2 tag parsing functionality, specifically in the id3v2_read_synch_uint function. The vulnerability allows remote attackers to cause a Denial of Service (DoS) through a segmentation fault without requiring authentication or user interaction. A public proof-of-concept exploit is available from GitHub Security Lab (GHSL-2024-235), though EPSS scoring indicates only a 0.08% probability of active exploitation in the wild (23rd percentile).

Technical ContextAI

GStreamer (cpe:2.3:a:gstreamer:gstreamer) is a widely-used open-source multimedia framework for constructing media processing pipelines across Linux and embedded systems. This vulnerability manifests as CWE-125 (Out-of-bounds Read) in the ID3v2 metadata parsing code within id3v2.c. The id3v2_read_synch_uint function fails to validate that work->hdr.frame_data is non-null before dereferencing it to populate the data pointer, causing the process to attempt reading from address zero. ID3v2 is a metadata container format commonly embedded in MP3 and other audio files, making this vulnerability triggerable through malformed media file processing.

RemediationAI

Upgrade GStreamer to version 1.24.10 or later as documented in the official security advisory at https://gstreamer.freedesktop.org/security/sa-2024-0008.html. The fix is available via merge request at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8033.patch. Debian LTS users should apply updates per https://lists.debian.org/debian-lts-announce/2024/12/msg00021.html. Until patching is completed, implement defense-in-depth by sanitizing or validating media files from untrusted sources before processing, running GStreamer pipelines in sandboxed environments with resource limits, and restricting network access to media processing services to trusted sources only.

CVE-2024-47542 vulnerability details – vuln.today

Back

Gstreamer CVE-2024-47542

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code