What is the CVSS score of CVE-2024-47544?

CVE-2024-47544 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Gstreamer are affected by CVE-2024-47544?

Organizations using GStreamer face notable risk from CVE-2024-47544, a null pointer dereference vulnerability rated CVSS 7.5. Exploitation could compromise the security of affected deployments.. A patch is available.

How to fix or mitigate CVE-2024-47544?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Gstreamer CVE-2024-47544

HIGH

NULL Pointer Dereference (CWE-476)

2024-12-12 security-advisories@github.com

Denial Of Service Null Pointer Dereference Gstreamer

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

Patch released

Mar 17, 2026 - 20:45 nvd

Patch available

CVE Published

Dec 12, 2024 - 02:03 nvd

HIGH 7.5

DescriptionNVD

GStreamer is a library for constructing graphs of media-handling components. The function qtdemux_parse_sbgp in qtdemux.c is affected by a null dereference vulnerability. This vulnerability is fixed in 1.24.10.

AnalysisAI

A null pointer dereference vulnerability exists in the GStreamer multimedia framework's qtdemux_parse_sbgp function, allowing remote attackers to cause denial of service through crafted media files. The vulnerability affects all GStreamer versions prior to 1.24.10 and can be triggered without authentication when processing malicious QuickTime/MP4 files. With an EPSS score of 0.10% and no known KEV listing, this represents a moderate stability risk primarily relevant for applications processing untrusted media content.

Technical ContextAI

GStreamer is a pipeline-based multimedia framework that links together a wide variety of media processing systems to complete complex workflows. The vulnerability specifically affects the QuickTime demuxer component (qtdemux.c) which is responsible for parsing QuickTime and MP4 container formats. According to the CPE identifier (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*), all versions of GStreamer prior to 1.24.10 are affected. The CWE-476 classification indicates this is a NULL pointer dereference bug, occurring when the qtdemux_parse_sbgp function attempts to access memory through a null pointer, likely due to insufficient validation of input data structures when parsing sample grouping boxes in media files.

RemediationAI

Upgrade GStreamer to version 1.24.10 or later, which contains the fix for this vulnerability. The patch is available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch and should be applied through your distribution's package manager or by building from source. For systems that cannot immediately upgrade, implement input validation for media files before processing with GStreamer applications, restrict processing of untrusted media content, and consider running GStreamer-based services in isolated environments with resource limits to minimize denial of service impact. Consult the official security advisory at https://gstreamer.freedesktop.org/security/sa-2024-0011.html for additional vendor guidance.

CVE-2024-47544 vulnerability details – vuln.today

Back

Gstreamer CVE-2024-47544

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code