What is the CVSS score of CVE-2024-47775?

CVE-2024-47775 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Gstreamer are affected by CVE-2024-47775?

Organizations using GStreamer face critical risk from CVE-2024-47775, a out-of-bounds read vulnerability rated CVSS 9.1.. A patch is available.

How to fix or mitigate CVE-2024-47775?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Vendor patch is available.

Gstreamer CVE-2024-47775

CRITICAL

Out-of-bounds Read (CWE-125)

2024-12-12 security-advisories@github.com

Denial Of Service Information Disclosure Gstreamer

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

Patch released

Mar 17, 2026 - 20:45 nvd

Patch available

CVE Published

Dec 12, 2024 - 02:03 nvd

CRITICAL 9.1

DescriptionNVD

GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been found in the parse_ds64 function within gstwavparse.c. The parse_ds64 function does not check that the buffer buf contains sufficient data before attempting to read from it, doing multiple GST_READ_UINT32_LE operations without performing boundary checks. This can lead to an OOB-read when buf is smaller than expected. This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. This vulnerability is fixed in 1.24.10.

AnalysisAI

An out-of-bounds read vulnerability exists in GStreamer's WAV file parser that allows remote attackers to crash applications or potentially leak sensitive memory contents when processing malformed WAV files. The vulnerability affects all GStreamer versions prior to 1.24.10 and can be triggered without authentication through network-accessible applications using the library. While no public exploits or KEV listings exist, the high CVSS score of 9.1 reflects the potential for both denial of service and information disclosure impacts.

Technical ContextAI

GStreamer is a widely-used open-source multimedia framework library (CPE: cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*) that provides a pipeline-based architecture for handling audio and video streams. The vulnerability occurs in the parse_ds64 function within the gstwavparse.c component, which is responsible for parsing WAV audio files. The root cause is a classic buffer over-read (CWE-125) where the code performs multiple GST_READ_UINT32_LE operations to read 32-bit values from the input buffer without first verifying that sufficient data is available, allowing reads beyond the allocated buffer boundaries when processing specially crafted WAV files with malformed DS64 chunks.

RemediationAI

Upgrade GStreamer to version 1.24.10 or later, which contains the official patch available at https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8042.patch. Organizations should review their software inventory for applications that embed or depend on GStreamer and ensure updates are applied across all systems. As a temporary mitigation until patching is complete, restrict processing of WAV files from untrusted sources and implement input validation for media files at application boundaries. For detailed patching instructions, consult the vendor security advisory at https://gstreamer.freedesktop.org/security/sa-2024-0027.html.

CVE-2024-47775 vulnerability details – vuln.today

Back

Gstreamer CVE-2024-47775

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code