What is the CVSS score of CVE-2024-47601?

CVE-2024-47601 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Gstreamer are affected by CVE-2024-47601?

Organizations using GStreamer face notable risk from CVE-2024-47601, a null pointer dereference vulnerability rated CVSS 7.5. Exploitation could compromise the security of affected deployments.. A patch is available.

How to fix or mitigate CVE-2024-47601?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Gstreamer CVE-2024-47601

HIGH

NULL Pointer Dereference (CWE-476)

2024-12-12 security-advisories@github.com

Denial Of Service Gstreamer

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

Patch released

Mar 17, 2026 - 20:45 nvd

Patch available

CVE Published

Dec 12, 2024 - 02:03 nvd

HIGH 7.5

DescriptionNVD

GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_parse_blockgroup_or_simpleblock function within matroska-demux.c. This function does not properly check the validity of the GstBuffer *sub pointer before performing dereferences. As a result, null pointer dereferences may occur. This vulnerability is fixed in 1.24.10.

AnalysisAI

A null pointer dereference vulnerability exists in GStreamer's Matroska demuxer component, specifically in the gst_matroska_demux_parse_blockgroup_or_simpleblock function. GStreamer versions prior to 1.24.10 are affected, allowing remote attackers to cause denial of service by sending specially crafted Matroska (MKV) media files without authentication. With an EPSS score of 0.10% (28th percentile), exploitation probability is currently low, though proof-of-concept details are publicly available through GitHub Security Lab.

Technical ContextAI

GStreamer is a widely-used multimedia framework (cpe:2.3:a:gstreamer:gstreamer) that provides a pipeline-based architecture for constructing media processing workflows. The vulnerability resides in matroska-demux.c, which handles parsing of Matroska container format files (commonly .mkv, .webm). The issue is classified as CWE-476 (NULL Pointer Dereference), where the gst_matroska_demux_parse_blockgroup_or_simpleblock function fails to validate the GstBuffer *sub pointer before dereferencing it. When processing malformed Matroska files, this missing validation allows the pointer to remain null during dereference operations, triggering a crash in the demuxer component and terminating the media processing pipeline.

RemediationAI

Upgrade GStreamer to version 1.24.10 or later to address this vulnerability, as documented in the official security advisory at https://gstreamer.freedesktop.org/security/sa-2024-0020.html. The fix is available through the upstream patch at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057.patch. Debian users should apply updates referenced in https://lists.debian.org/debian-lts-announce/2025/02/msg00035.html. As an interim mitigation, restrict processing of Matroska media files to trusted sources only, implement input validation and sanitization for media files before processing, and consider sandboxing GStreamer-based applications to limit the impact of denial-of-service crashes. Monitor for abnormal application terminations that may indicate exploitation attempts.

CVE-2024-47601 vulnerability details – vuln.today

Back

Gstreamer CVE-2024-47601

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code