What is the CVSS score of CVE-2025-47183?

CVE-2025-47183 has a CVSS 3.1 base score of 6.6 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Gstreamer are affected by CVE-2025-47183?

Organizations using GStreamer should be aware of notable risk from CVE-2025-47183, a out-of-bounds read vulnerability rated CVSS 6.6.. A patch is available.

Is there a public PoC exploit available for CVE-2025-47183?

Yes, a public proof-of-concept exploit is available for CVE-2025-47183. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-47183?

Within 30 days: Identify affected systems running GStreamer and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Gstreamer CVE-2025-47183

MEDIUM

Out-of-bounds Read (CWE-125)

2025-08-07 cve@mitre.org

Information Disclosure Red Hat Gstreamer Suse

6.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Apr 06, 2026 - 08:30 nvd

Patch available

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

PoC Detected

Mar 17, 2026 - 15:52 vuln.today

Public exploit code

CVE Published

Aug 07, 2025 - 20:15 nvd

MEDIUM 6.6

DescriptionNVD

In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_tree function may read past the end of a heap buffer while parsing an MP4 file, leading to information disclosure.

AnalysisAI

A heap buffer over-read vulnerability exists in GStreamer's isomp4 plugin (qtdemux_parse_tree function) when parsing MP4 files, affecting versions through 1.26.1. The vulnerability allows local attackers with user-level privileges who can trick a user into opening a malicious MP4 file to disclose sensitive heap memory contents and potentially cause application crashes. Publicly available proof-of-concept code exists, and while the EPSS score of 0.02% indicates low exploitation probability overall, the presence of public exploits and the information disclosure capability warrant prompt patching.

Technical ContextAI

GStreamer is a multimedia framework used across Linux distributions, embedded systems, and media applications for audio/video processing and playback. The vulnerability resides in the isomp4 (ISO Base Media File Format) demultiplexer plugin, specifically in the qtdemux_parse_tree function responsible for parsing the hierarchical atom/box structure of MP4 container files. The root cause is classified as CWE-125 (Out-of-bounds Read), indicating that the parser fails to properly validate buffer boundaries before reading atom data, causing reads that extend beyond allocated heap memory. This is a classic parsing error where size fields in the MP4 atom headers are not validated against actual buffer limits before use. GStreamer versions prior to and including 1.26.1 are affected across all platforms where the isomp4 plugin is compiled and used (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*).

RemediationAI

The primary remediation is to upgrade GStreamer to a version newer than 1.26.1 (a patched version will be released; check https://gstreamer.freedesktop.org/security/ for the specific fixed version number). For distributions, update via your package manager (e.g., apt update && apt upgrade gstreamer1.0-plugins-bad on Debian/Ubuntu, or equivalent for your distribution). For custom applications using GStreamer SDK, recompile against the patched GStreamer library. Until patching is feasible, apply mitigations: disable or restrict the isomp4 plugin if not required (set GST_PLUGIN_SCANNER environment variable or use plugin registry configuration), restrict opening untrusted MP4 files by disabling media autoplay in applications, and run media applications with minimal privileges. Additionally, monitor the referenced Atredis advisory (https://github.com/atredispartners/advisories/blob/master/2025/ATREDIS-2025-0003.md) and VulDB entry (https://vuldb.com/?id.319188) for any updates on patching timelines or additional technical details.