CVE-2024-47607

CRITICAL
2024-12-12 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Dec 12, 2024 - 02:03 nvd
CRITICAL 9.8

Tags

Buffer Overflow Gstreamer

Description

GStreamer is a library for constructing graphs of media-handling components. stack-buffer overflow has been detected in the gst_opus_dec_parse_header function within `gstopusdec.c'. The pos array is a stack-allocated buffer of size 64. If n_channels exceeds 64, the for loop will write beyond the boundaries of the pos array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This bug allows to overwrite the EIP address allocated in the stack. This vulnerability is fixed in 1.24.10.

Analysis

A stack-based buffer overflow vulnerability exists in GStreamer's Opus audio decoder that allows remote attackers to execute arbitrary code by overwriting the instruction pointer (EIP) on the stack. The vulnerability affects all GStreamer versions prior to 1.24.10 and can be triggered when processing specially crafted Opus audio streams with more than 64 channels. While not currently listed in CISA KEV and with no public exploit code identified, the vulnerability has a critical CVSS score of 9.8 due to its remote exploitability without authentication.

Technical Context

GStreamer is a widely-used multimedia framework library for building media processing pipelines, identified by CPE cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. The vulnerability occurs in the gst_opus_dec_parse_header function within gstopusdec.c, where a fixed-size stack buffer 'pos' of 64 elements is allocated to store audio channel positions. This is a classic CWE-121 (Stack-based Buffer Overflow) vulnerability where the code fails to validate that n_channels does not exceed the buffer size before entering a loop that writes GST_AUDIO_CHANNEL_POSITION_NONE values. When processing Opus audio with more than 64 channels, the loop writes beyond the buffer boundaries, potentially overwriting critical stack data including the return address.

Affected Products

All versions of GStreamer prior to version 1.24.10 are vulnerable to this stack buffer overflow, as identified by the CPE string cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. The vulnerability specifically affects the Opus audio decoder plugin (gstopusdec) component. Official details are available in the GStreamer security advisory at https://gstreamer.freedesktop.org/security/sa-2024-0024.html, with additional analysis provided by GitHub Security Lab at https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer/. Debian has also issued security updates as noted in https://lists.debian.org/debian-lts-announce/2024/12/msg00021.html.

Remediation

Upgrade GStreamer to version 1.24.10 or later, which contains the official patch for this vulnerability available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8037.patch. Organizations should prioritize patching systems that process untrusted Opus audio content or expose GStreamer-based services to the network. As a temporary mitigation until patching is complete, consider implementing input validation to reject Opus streams with excessive channel counts (over 64) and restricting network access to GStreamer-based services. Monitor the vendor security advisory at https://gstreamer.freedesktop.org/security/sa-2024-0024.html for any additional guidance or updated patches.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: 0

Share

CVE-2024-47607 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy