What is the CVSS score of CVE-2024-47545?

CVE-2024-47545 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Gstreamer are affected by CVE-2024-47545?

Organizations using GStreamer face notable risk from CVE-2024-47545 rated CVSS 7.5. Exploitation could compromise the security of affected deployments.. A patch is available.

How to fix or mitigate CVE-2024-47545?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Gstreamer CVE-2024-47545

HIGH

Integer Underflow (CWE-191)

2024-12-12 security-advisories@github.com

Buffer Overflow Gstreamer

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

Patch released

Mar 17, 2026 - 20:45 nvd

Patch available

CVE Published

Dec 12, 2024 - 02:03 nvd

HIGH 7.5

DescriptionNVD

GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in qtdemux_parse_trak function within qtdemux.c. During the strf parsing case, the subtraction size -= 40 can lead to a negative integer overflow if it is less than 40. If this happens, the subsequent call to gst_buffer_fill will invoke memcpy with a large tocopy size, resulting in an OOB-read. This vulnerability is fixed in 1.24.10.

AnalysisAI

An integer underflow vulnerability in GStreamer's QuickTime demuxer (qtdemux) allows remote attackers to trigger an out-of-bounds memory read, potentially causing application crashes or denial of service. The vulnerability affects GStreamer versions prior to 1.24.10 and occurs when parsing malformed QuickTime/MP4 files where a size calculation can result in negative values, leading to large memory copy operations. With an EPSS score of 0.13% and no known active exploitation or public POC, this represents a moderate risk primarily to applications processing untrusted media files.

Technical ContextAI

GStreamer is a widely-used multimedia framework for constructing media processing pipelines, identified by CPE cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. The vulnerability resides in the qtdemux_parse_trak function within qtdemux.c, specifically during strf (stream format) parsing where a hardcoded subtraction of 40 bytes from a size variable can underflow if the original size is less than 40. This integer underflow (CWE-191) subsequently causes gst_buffer_fill to call memcpy with an extremely large size value, resulting in an out-of-bounds read that can access memory beyond allocated buffers. The issue is classified as both a buffer overflow and integer overflow vulnerability type.

RemediationAI

Upgrade GStreamer to version 1.24.10 or later which contains the fix for this vulnerability. A patch is available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch for those who need to apply it to custom builds. Until patching is possible, limit processing of QuickTime/MP4 files to trusted sources only and consider implementing input validation or sandboxing for applications that must process untrusted media. Consult the vendor security advisory at https://gstreamer.freedesktop.org/security/sa-2024-0010.html and GitHub Security Lab advisory at https://securitylab.github.com/advisories/GHSL-2024-242_Gstreamer/ for additional technical details.

CVE-2024-47545 vulnerability details – vuln.today

Back

Gstreamer CVE-2024-47545

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code