CVE-2024-47544

HIGH
2024-12-12 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Dec 12, 2024 - 02:03 nvd
HIGH 7.5

Tags

Denial Of Service Null Pointer Dereference Gstreamer

Description

GStreamer is a library for constructing graphs of media-handling components. The function qtdemux_parse_sbgp in qtdemux.c is affected by a null dereference vulnerability. This vulnerability is fixed in 1.24.10.

Analysis

A null pointer dereference vulnerability exists in the GStreamer multimedia framework's qtdemux_parse_sbgp function, allowing remote attackers to cause denial of service through crafted media files. The vulnerability affects all GStreamer versions prior to 1.24.10 and can be triggered without authentication when processing malicious QuickTime/MP4 files. With an EPSS score of 0.10% and no known KEV listing, this represents a moderate stability risk primarily relevant for applications processing untrusted media content.

Technical Context

GStreamer is a pipeline-based multimedia framework that links together a wide variety of media processing systems to complete complex workflows. The vulnerability specifically affects the QuickTime demuxer component (qtdemux.c) which is responsible for parsing QuickTime and MP4 container formats. According to the CPE identifier (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*), all versions of GStreamer prior to 1.24.10 are affected. The CWE-476 classification indicates this is a NULL pointer dereference bug, occurring when the qtdemux_parse_sbgp function attempts to access memory through a null pointer, likely due to insufficient validation of input data structures when parsing sample grouping boxes in media files.

Affected Products

GStreamer multimedia framework versions prior to 1.24.10 are affected by this vulnerability, as confirmed by CPE identifier cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. The vulnerability has been acknowledged by the GStreamer project in their security advisory SA-2024-0011 available at https://gstreamer.freedesktop.org/security/sa-2024-0011.html. Debian has also issued security updates for their LTS distributions as noted in https://lists.debian.org/debian-lts-announce/2025/02/msg00035.html, indicating the vulnerability affects various Linux distributions that package GStreamer.

Remediation

Upgrade GStreamer to version 1.24.10 or later, which contains the fix for this vulnerability. The patch is available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch and should be applied through your distribution's package manager or by building from source. For systems that cannot immediately upgrade, implement input validation for media files before processing with GStreamer applications, restrict processing of untrusted media content, and consider running GStreamer-based services in isolated environments with resource limits to minimize denial of service impact. Consult the official security advisory at https://gstreamer.freedesktop.org/security/sa-2024-0011.html for additional vendor guidance.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Share

CVE-2024-47544 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy