What is the CVSS score of CVE-2024-47615?

CVE-2024-47615 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Gstreamer are affected by CVE-2024-47615?

Organizations using GStreamer face critical risk from CVE-2024-47615, a out-of-bounds write vulnerability rated CVSS 9.8.. A patch is available.

How to fix or mitigate CVE-2024-47615?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. If patching is delayed, consider network segmentation to limit exposure.

Gstreamer CVE-2024-47615

CRITICAL

Out-of-bounds Write (CWE-787)

2024-12-12 security-advisories@github.com

Information Disclosure Gstreamer

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

Patch released

Mar 17, 2026 - 20:45 nvd

Patch available

CVE Published

Dec 12, 2024 - 02:03 nvd

CRITICAL 9.8

DescriptionNVD

GStreamer is a library for constructing graphs of media-handling components. An OOB-Write has been detected in the function gst_parse_vorbis_setup_packet within vorbis_parse.c. The integer size is read from the input file without proper validation. As a result, size can exceed the fixed size of the pad->vorbis_mode_sizes array (which size is 256). When this happens, the for loop overwrites the entire pad structure with 0s and 1s, affecting adjacent memory as well. This OOB-write can overwrite up to 380 bytes of memory beyond the boundaries of the pad->vorbis_mode_sizes array. This vulnerability is fixed in 1.24.10.

AnalysisAI

A critical out-of-bounds write vulnerability exists in GStreamer's Vorbis parser that allows remote code execution by processing malicious media files. The flaw affects all GStreamer versions prior to 1.24.10 and enables attackers to overwrite up to 380 bytes of memory beyond array boundaries, potentially leading to arbitrary code execution without authentication. The vulnerability has been assigned a maximum CVSS score of 9.8, indicating critical severity with network-based exploitation possible.

Technical ContextAI

GStreamer is a widely-used multimedia framework library for constructing media processing pipelines, identified by CPE cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. The vulnerability resides in the gst_parse_vorbis_setup_packet function within vorbis_parse.c, where an integer size value is read from untrusted input without validation before being used as a loop counter. This classic CWE-787 (Out-of-bounds Write) occurs because the code fails to verify that the size parameter doesn't exceed the fixed 256-element pad->vorbis_mode_sizes array, resulting in memory corruption that extends 380 bytes past the array boundary when processing specially crafted Vorbis audio streams.

RemediationAI

Immediately upgrade GStreamer to version 1.24.10 or later, which contains the fix for this vulnerability. The patch is available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8038.patch and should be applied urgently given the critical severity. For systems that cannot be immediately patched, implement strict input validation for any Vorbis media files and consider disabling Vorbis codec support temporarily if feasible. Additionally, deploy network segmentation to limit exposure of systems running vulnerable GStreamer versions and monitor for unusual media processing activity or crashes that could indicate exploitation attempts.

CVE-2024-47615 vulnerability details – vuln.today

Back

Gstreamer CVE-2024-47615

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code