CVE-2024-47600
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
3Tags
Description
GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been detected in the format_channel_mask function in gst-discoverer.c. The vulnerability affects the local array position, which is defined with a fixed size of 64 elements. However, the function gst_discoverer_audio_info_get_channels may return a guint channels value greater than 64. This causes the for loop to attempt access beyond the bounds of the position array, resulting in an OOB-read when an index greater than 63 is used. This vulnerability can result in reading unintended bytes from the stack. Additionally, the dereference of value->value_nick after the OOB-read can lead to further memory corruption or undefined behavior. This vulnerability is fixed in 1.24.10.
Analysis
A buffer overflow vulnerability in GStreamer's media discovery component allows remote attackers to read sensitive stack memory and potentially crash applications. The flaw occurs when processing media files with more than 64 audio channels, causing the format_channel_mask function to read beyond array bounds. With a CVSS score of 9.1 and network-based attack vector requiring no authentication, this represents a critical risk for applications using GStreamer for media processing, though no active exploitation or public proof-of-concept has been reported.
Technical Context
GStreamer is a widely-used open-source multimedia framework that constructs processing pipelines for audio and video data. The vulnerability (CWE-125: Out-of-bounds Read) exists in the gst-discoverer.c component, specifically in the format_channel_mask function which uses a fixed-size array of 64 elements to process audio channel information. When gst_discoverer_audio_info_get_channels returns a value exceeding 64, the subsequent for loop accesses memory beyond the position array boundaries. The affected CPE identifier cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:* indicates all versions prior to 1.24.10 are vulnerable. This out-of-bounds read can expose stack contents and the subsequent dereference of value->value_nick may lead to further memory corruption.
Affected Products
GStreamer versions prior to 1.24.10 are affected by this vulnerability, as identified by the CPE string cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. The vulnerability specifically impacts the gst-discoverer component used for media file analysis and metadata extraction. Debian has issued security updates for their LTS distributions as noted in their security announcement at https://lists.debian.org/debian-lts-announce/2024/12/msg00021.html. The official GStreamer security advisory is available at https://gstreamer.freedesktop.org/security/sa-2024-0018.html.
Remediation
Upgrade GStreamer to version 1.24.10 or later, which contains the fix for this vulnerability. The patch is available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8034.patch and can be applied to earlier versions if immediate upgrading is not feasible. Until patching is complete, consider implementing input validation to reject media files with unusually high channel counts (over 64) and restrict processing of untrusted media files. For detailed remediation guidance, refer to the vendor security advisory at https://gstreamer.freedesktop.org/security/sa-2024-0018.html and the GitHub Security Lab advisory at https://securitylab.github.com/advisories/GHSL-2024-248_Gstreamer/.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today