CVE-2025-2759

HIGH
2025-05-22 [email protected]
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
CVE Published
May 22, 2025 - 01:15 nvd
HIGH 7.8

Tags

Privilege Escalation RCE Gstreamer Suse

Description

GStreamer Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of GStreamer. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the product installer. The issue results from incorrect permissions on folders. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25448.

Analysis

A local privilege escalation vulnerability in GStreamer's installer allows attackers with low-privileged access to escalate to higher privileges due to incorrect folder permissions. The vulnerability affects all versions of GStreamer and enables arbitrary code execution in the context of a target user. With a low EPSS score of 0.01% and no KEV listing, this vulnerability has limited evidence of active exploitation in the wild.

Technical Context

GStreamer is an open-source multimedia framework used for creating streaming media applications, affected across all versions according to the CPE identifier cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. The vulnerability stems from CWE-732 (Incorrect Permission Assignment for Critical Resource), where the product installer sets overly permissive access rights on folders during installation. This permission misconfiguration allows lower-privileged processes to modify or replace files that will be executed with higher privileges, creating a pathway for privilege escalation.

Affected Products

All versions of GStreamer are affected by this vulnerability as indicated by the CPE string cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. The vulnerability specifically impacts Windows installations where the GStreamer installer creates folders with incorrect permissions. The Zero Day Initiative advisory ZDI-25-268 provides additional details at https://www.zerodayinitiative.com/advisories/ZDI-25-268/.

Remediation

Update to the latest version of GStreamer once a patched version is released by the GStreamer project. Until an official patch is available, manually review and correct folder permissions created by the GStreamer installer, ensuring that low-privileged users cannot write to directories containing executables or libraries loaded by higher-privileged processes. Monitor the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-25-268/ for patch availability announcements.

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +39
POC: 0

Vendor Status

Share

CVE-2025-2759 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy