What is the CVSS score of CVE-2024-47546?

CVE-2024-47546 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Gstreamer are affected by CVE-2024-47546?

Organizations using GStreamer face notable risk from CVE-2024-47546 rated CVSS 7.5. Exploitation could compromise the security of affected deployments.. A patch is available.

How to fix or mitigate CVE-2024-47546?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Gstreamer CVE-2024-47546

HIGH

Integer Underflow (CWE-191)

2024-12-12 security-advisories@github.com

Buffer Overflow Gstreamer

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

Patch released

Mar 17, 2026 - 20:45 nvd

Patch available

CVE Published

Dec 12, 2024 - 02:03 nvd

HIGH 7.5

DescriptionNVD

GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in extract_cc_from_data function within qtdemux.c. In the FOURCC_c708 case, the subtraction atom_length - 8 may result in an underflow if atom_length is less than 8. When that subtraction underflows, *cclen ends up being a large number, and then cclen is passed to g_memdup2 leading to an out-of-bounds (OOB) read. This vulnerability is fixed in 1.24.10.

AnalysisAI

An integer underflow vulnerability in GStreamer's qtdemux component allows remote attackers to trigger out-of-bounds memory reads, potentially causing application crashes or denial of service. The flaw occurs when processing malformed media files with specific atom structures, affecting all GStreamer versions prior to 1.24.10. With an EPSS score of 0.11% and no known active exploitation, this represents a moderate risk primarily for applications processing untrusted media content.

Technical ContextAI

GStreamer is a widely-used open-source multimedia framework (CPE: cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*) that constructs processing graphs for media handling. The vulnerability stems from CWE-191 (Integer Underflow) in the extract_cc_from_data function within qtdemux.c, specifically when handling FOURCC_c708 closed caption data atoms. When atom_length is less than 8, the subtraction atom_length - 8 underflows, resulting in a large value being passed to g_memdup2, which then attempts to read beyond allocated memory boundaries.

RemediationAI

Upgrade GStreamer to version 1.24.10 or later, which contains the fix available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch. Organizations unable to immediately patch should implement input validation for media files and consider isolating media processing services in sandboxed environments. Monitor the vendor security advisory at https://gstreamer.freedesktop.org/security/sa-2024-0013.html for additional updates. For systems processing untrusted media, implement resource limits and crash recovery mechanisms to mitigate potential denial of service impacts.

CVE-2024-47546 vulnerability details – vuln.today

Back

Gstreamer CVE-2024-47546

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code