CVE-2025-3887
HIGHCVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of H265 slice headers. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26596.
Analysis
A stack-based buffer overflow vulnerability exists in GStreamer's H265 codec parsing functionality that allows remote attackers to execute arbitrary code on affected systems. The vulnerability occurs when processing malformed H265 slice headers, enabling attackers to overflow a fixed-length stack buffer and potentially take control of the application processing the media content. With an EPSS score of 0.61% (69th percentile) and a CVSS score of 8.8, this represents a significant risk for applications using GStreamer for video processing, though it requires user interaction to exploit.
Technical Context
GStreamer is a widely-used open-source multimedia framework that provides libraries and tools for constructing graphs of media-handling components, commonly used in Linux distributions and multimedia applications. The vulnerability affects GStreamer installations as identified by CPE cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:* and has been confirmed to impact Debian Linux 11.0 (CPE cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*). The root cause is a classic CWE-121 stack-based buffer overflow, where the H265 codec parser fails to properly validate the length of user-supplied data before copying it to a fixed-size buffer on the stack, allowing an attacker to write beyond the buffer boundaries and potentially overwrite return addresses or other critical stack data.
Affected Products
GStreamer installations across all versions are potentially affected by this vulnerability according to the CPE identifier cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. Debian Linux 11.0 (Bullseye) systems are specifically confirmed as vulnerable based on the security announcement from the Debian LTS team. The vulnerability was originally tracked as ZDI-CAN-26596 by the Zero Day Initiative before receiving the CVE-2025-3887 designation. Organizations should review their GStreamer deployments across all platforms, as the vulnerability affects the core codec parsing functionality rather than being platform-specific.
Remediation
Apply the security updates provided by your Linux distribution or GStreamer maintainers immediately, with Debian users specifically directed to the advisory at https://lists.debian.org/debian-lts-announce/2025/06/msg00017.html. Until patches can be applied, implement defense-in-depth measures including restricting the processing of untrusted H265/HEVC video content, implementing sandboxing for media processing applications, and monitoring for suspicious process behavior following media file processing. For additional technical details about the vulnerability, refer to the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-25-267/.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today