What is the CVSS score of CVE-2024-47613?

CVE-2024-47613 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Gstreamer are affected by CVE-2024-47613?

Organizations using GStreamer face critical risk from CVE-2024-47613, a null pointer dereference vulnerability rated CVSS 9.8.. A patch is available.

How to fix or mitigate CVE-2024-47613?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Vendor patch is available.

Gstreamer CVE-2024-47613

CRITICAL

NULL Pointer Dereference (CWE-476)

2024-12-12 security-advisories@github.com

Denial Of Service Gstreamer

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

Patch released

Mar 17, 2026 - 20:45 nvd

Patch available

CVE Published

Dec 12, 2024 - 02:03 nvd

CRITICAL 9.8

DescriptionNVD

GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been identified in gst_gdk_pixbuf_dec_flush within gstgdkpixbufdec.c. This function invokes memcpy, using out_pix as the destination address. out_pix is expected to point to the frame 0 from the frame structure, which is read from the input file. However, in certain situations, it can points to a NULL frame, causing the subsequent call to memcpy to attempt writing to the null address (0x00), leading to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.

AnalysisAI

A null pointer dereference vulnerability exists in GStreamer's GdkPixbuf decoder that occurs when processing specially crafted media files, causing the application to crash with a segmentation fault. The vulnerability affects GStreamer versions prior to 1.24.10 and allows remote attackers to trigger a denial of service without authentication or user interaction. While rated CVSS 9.8, this appears to be primarily a DoS vulnerability despite the high confidentiality/integrity scores, with no evidence of active exploitation in the wild or inclusion in CISA's KEV catalog.

Technical ContextAI

GStreamer is a widely-used open-source multimedia framework for constructing graphs of media-handling components, commonly used in Linux desktop environments and multimedia applications. The vulnerability (CWE-476: NULL Pointer Dereference) occurs in the gst_gdk_pixbuf_dec_flush function within gstgdkpixbufdec.c, where the code attempts to use memcpy to write to a destination address (out_pix) that can be NULL under certain conditions when processing malformed input files. The affected CPE identifier is cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:* for versions before 1.24.10, indicating all GStreamer installations regardless of platform or configuration are potentially vulnerable.

RemediationAI

Upgrade GStreamer to version 1.24.10 or later, which contains the fix for this vulnerability. The patch is available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8041.patch and can be applied directly if upgrading is not immediately possible. For systems that cannot be immediately patched, consider implementing input validation or sandboxing for applications processing untrusted media files, though these are imperfect workarounds. Debian LTS users should refer to the security announcement at https://lists.debian.org/debian-lts-announce/2025/02/msg00035.html for distribution-specific guidance.

CVE-2024-47613 vulnerability details – vuln.today

Back

Gstreamer CVE-2024-47613

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code