What is the CVSS score of CVE-2024-47598?

CVE-2024-47598 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Gstreamer are affected by CVE-2024-47598?

Organizations using GStreamer face critical risk from CVE-2024-47598, a out-of-bounds read vulnerability rated CVSS 9.1.. A patch is available.

How to fix or mitigate CVE-2024-47598?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Vendor patch is available.

Gstreamer CVE-2024-47598

CRITICAL

Out-of-bounds Read (CWE-125)

2024-12-12 security-advisories@github.com

Information Disclosure Gstreamer

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

Patch released

Mar 17, 2026 - 20:45 nvd

Patch available

CVE Published

Dec 12, 2024 - 02:03 nvd

CRITICAL 9.1

DescriptionNVD

GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in the qtdemux_merge_sample_table function within qtdemux.c. The problem is that the size of the stts buffer isn’t properly checked before reading stts_duration, allowing the program to read 4 bytes beyond the boundaries of stts->data. This vulnerability reads up to 4 bytes past the allocated bounds of the stts array. This vulnerability is fixed in 1.24.10.

AnalysisAI

An out-of-bounds read vulnerability exists in GStreamer's qtdemux component that allows reading 4 bytes beyond allocated memory boundaries when processing media files. The vulnerability affects GStreamer versions prior to 1.24.10 and can be exploited remotely without authentication to potentially expose sensitive information or cause application crashes. With a CVSS score of 9.1 and network-based attack vector, this represents a significant risk for applications using GStreamer for media processing, though no active exploitation or public proof-of-concept has been reported.

Technical ContextAI

GStreamer is a multimedia framework library used for constructing graphs of media-handling components, commonly employed in video players, streaming applications, and media processing tools. The vulnerability (CWE-125: Out-of-bounds Read) occurs in the qtdemux_merge_sample_table function within qtdemux.c, specifically when processing QuickTime/MP4 demuxing operations. The affected products are identified by CPE cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:* for all versions prior to 1.24.10, where insufficient bounds checking on the stts (sample-to-time-sample) buffer allows reading of stts_duration values beyond the allocated memory region.

RemediationAI

Upgrade GStreamer to version 1.24.10 or later, which contains the fix for this vulnerability. The patch is available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch and should be applied immediately for systems processing untrusted media content. For systems that cannot immediately upgrade, consider implementing input validation and sandboxing for media processing operations, restricting the processing of QuickTime/MP4 files from untrusted sources, or isolating GStreamer-based applications in controlled environments with limited access to sensitive data.

CVE-2024-47598 vulnerability details – vuln.today

Back

Gstreamer CVE-2024-47598

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code