CVE-2024-47599

HIGH
2024-12-12 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Dec 12, 2024 - 02:03 nvd
HIGH 7.5

Tags

Denial Of Service Gstreamer

Description

GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_jpeg_dec_negotiate function in gstjpegdec.c. This function does not check for a NULL return value from gst_video_decoder_set_output_state. When this happens, dereferences of the outstate pointer will lead to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.

Analysis

A null pointer dereference vulnerability in GStreamer's JPEG decoder component allows remote attackers to cause a denial of service by triggering a segmentation fault when processing specially crafted media content. The vulnerability affects GStreamer versions prior to 1.24.10 and has a low exploitation probability (EPSS 0.07%) with no known active exploitation in the wild. While the CVSS score is high (7.5), the impact is limited to availability only, making this a medium-priority issue for most organizations.

Technical Context

GStreamer is a widely-used open-source multimedia framework that constructs graphs of media-handling components for processing audio and video streams. The vulnerability occurs in the gst_jpeg_dec_negotiate function within the JPEG decoder plugin (gstjpegdec.c), where the code fails to validate the return value from gst_video_decoder_set_output_state before dereferencing it. This represents a classic CWE-476 NULL Pointer Dereference vulnerability, where improper error handling leads to attempted access of memory location 0x0, causing an immediate crash of the application using the GStreamer library.

Affected Products

GStreamer versions prior to 1.24.10 are affected by this vulnerability, as identified by CPE cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. The vulnerability specifically impacts the GStreamer Good Plugins package containing the JPEG decoder component. Organizations using GStreamer for media processing, including those on Debian systems as noted in the Debian security announcement, should assess their exposure. The official GStreamer security advisory is available at https://gstreamer.freedesktop.org/security/sa-2024-0016.html.

Remediation

Upgrade GStreamer to version 1.24.10 or later, which contains the fix for this vulnerability. The patch is available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8040.patch and can be applied to earlier versions if immediate upgrade is not feasible. As a temporary mitigation, consider implementing input validation for JPEG files before processing them through GStreamer, or isolating media processing services to minimize the impact of potential crashes. Debian users should apply the updates mentioned in https://lists.debian.org/debian-lts-announce/2025/02/msg00035.html.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Share

CVE-2024-47599 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy