What is the CVSS score of CVE-2024-47599?

CVE-2024-47599 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Gstreamer are affected by CVE-2024-47599?

Organizations using GStreamer face notable risk from CVE-2024-47599, a null pointer dereference vulnerability rated CVSS 7.5. Exploitation could compromise the security of affected deployments.. A patch is available.

How to fix or mitigate CVE-2024-47599?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Gstreamer CVE-2024-47599

HIGH

NULL Pointer Dereference (CWE-476)

2024-12-12 security-advisories@github.com

Denial Of Service Gstreamer

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

Patch released

Mar 17, 2026 - 20:45 nvd

Patch available

CVE Published

Dec 12, 2024 - 02:03 nvd

HIGH 7.5

DescriptionNVD

GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_jpeg_dec_negotiate function in gstjpegdec.c. This function does not check for a NULL return value from gst_video_decoder_set_output_state. When this happens, dereferences of the outstate pointer will lead to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.

AnalysisAI

A null pointer dereference vulnerability in GStreamer's JPEG decoder component allows remote attackers to cause a denial of service by triggering a segmentation fault when processing specially crafted media content. The vulnerability affects GStreamer versions prior to 1.24.10 and has a low exploitation probability (EPSS 0.07%) with no known active exploitation in the wild. While the CVSS score is high (7.5), the impact is limited to availability only, making this a medium-priority issue for most organizations.

Technical ContextAI

GStreamer is a widely-used open-source multimedia framework that constructs graphs of media-handling components for processing audio and video streams. The vulnerability occurs in the gst_jpeg_dec_negotiate function within the JPEG decoder plugin (gstjpegdec.c), where the code fails to validate the return value from gst_video_decoder_set_output_state before dereferencing it. This represents a classic CWE-476 NULL Pointer Dereference vulnerability, where improper error handling leads to attempted access of memory location 0x0, causing an immediate crash of the application using the GStreamer library.

RemediationAI

Upgrade GStreamer to version 1.24.10 or later, which contains the fix for this vulnerability. The patch is available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8040.patch and can be applied to earlier versions if immediate upgrade is not feasible. As a temporary mitigation, consider implementing input validation for JPEG files before processing them through GStreamer, or isolating media processing services to minimize the impact of potential crashes. Debian users should apply the updates mentioned in https://lists.debian.org/debian-lts-announce/2025/02/msg00035.html.

CVE-2024-47599 vulnerability details – vuln.today

Back

Gstreamer CVE-2024-47599

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code