CVE-2024-47613

CRITICAL
2024-12-12 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Dec 12, 2024 - 02:03 nvd
CRITICAL 9.8

Tags

Denial Of Service Gstreamer

Description

GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been identified in `gst_gdk_pixbuf_dec_flush` within `gstgdkpixbufdec.c`. This function invokes `memcpy`, using `out_pix` as the destination address. `out_pix` is expected to point to the frame 0 from the frame structure, which is read from the input file. However, in certain situations, it can points to a NULL frame, causing the subsequent call to `memcpy` to attempt writing to the null address (0x00), leading to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.

Analysis

A null pointer dereference vulnerability exists in GStreamer's GdkPixbuf decoder that occurs when processing specially crafted media files, causing the application to crash with a segmentation fault. The vulnerability affects GStreamer versions prior to 1.24.10 and allows remote attackers to trigger a denial of service without authentication or user interaction. While rated CVSS 9.8, this appears to be primarily a DoS vulnerability despite the high confidentiality/integrity scores, with no evidence of active exploitation in the wild or inclusion in CISA's KEV catalog.

Technical Context

GStreamer is a widely-used open-source multimedia framework for constructing graphs of media-handling components, commonly used in Linux desktop environments and multimedia applications. The vulnerability (CWE-476: NULL Pointer Dereference) occurs in the gst_gdk_pixbuf_dec_flush function within gstgdkpixbufdec.c, where the code attempts to use memcpy to write to a destination address (out_pix) that can be NULL under certain conditions when processing malformed input files. The affected CPE identifier is cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:* for versions before 1.24.10, indicating all GStreamer installations regardless of platform or configuration are potentially vulnerable.

Affected Products

GStreamer multimedia framework versions prior to 1.24.10 are affected by this vulnerability, as identified by the CPE string cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. The vulnerability specifically impacts the GdkPixbuf decoder plugin component. Official security information is available at the GStreamer security advisory page at https://gstreamer.freedesktop.org/security/sa-2024-0025.html, with additional technical details provided in GitHub Security Lab's advisory at https://securitylab.github.com/advisories/GHSL-2024-115_GHSL-2024-118_Gstreamer/.

Remediation

Upgrade GStreamer to version 1.24.10 or later, which contains the fix for this vulnerability. The patch is available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8041.patch and can be applied directly if upgrading is not immediately possible. For systems that cannot be immediately patched, consider implementing input validation or sandboxing for applications processing untrusted media files, though these are imperfect workarounds. Debian LTS users should refer to the security announcement at https://lists.debian.org/debian-lts-announce/2025/02/msg00035.html for distribution-specific guidance.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +49
POC: 0

Share

CVE-2024-47613 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy