CVE-2025-47183
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H
Lifecycle Timeline
4Description
In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_tree function may read past the end of a heap buffer while parsing an MP4 file, leading to information disclosure.
Analysis
A heap buffer over-read vulnerability exists in GStreamer's isomp4 plugin (qtdemux_parse_tree function) when parsing MP4 files, affecting versions through 1.26.1. The vulnerability allows local attackers with user-level privileges who can trick a user into opening a malicious MP4 file to disclose sensitive heap memory contents and potentially cause application crashes. Publicly available proof-of-concept code exists, and while the EPSS score of 0.02% indicates low exploitation probability overall, the presence of public exploits and the information disclosure capability warrant prompt patching.
Technical Context
GStreamer is a multimedia framework used across Linux distributions, embedded systems, and media applications for audio/video processing and playback. The vulnerability resides in the isomp4 (ISO Base Media File Format) demultiplexer plugin, specifically in the qtdemux_parse_tree function responsible for parsing the hierarchical atom/box structure of MP4 container files. The root cause is classified as CWE-125 (Out-of-bounds Read), indicating that the parser fails to properly validate buffer boundaries before reading atom data, causing reads that extend beyond allocated heap memory. This is a classic parsing error where size fields in the MP4 atom headers are not validated against actual buffer limits before use. GStreamer versions prior to and including 1.26.1 are affected across all platforms where the isomp4 plugin is compiled and used (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*).
Affected Products
GStreamer through version 1.26.1 is affected, as identified by CPE cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. This impacts all distributions and applications that bundle or depend on GStreamer with the isomp4 plugin enabled, including desktop media players (GNOME Videos, Totem), web browsers with GStreamer backends, embedded multimedia systems, and custom applications using the GStreamer SDK. Specific vulnerable version ranges include all 1.x releases up to and including 1.26.1. Users should consult the GStreamer security advisory at https://gstreamer.freedesktop.org/security/ for definitive patching guidance and check their distribution's package repositories for updated GStreamer versions.
Remediation
The primary remediation is to upgrade GStreamer to a version newer than 1.26.1 (a patched version will be released; check https://gstreamer.freedesktop.org/security/ for the specific fixed version number). For distributions, update via your package manager (e.g., apt update && apt upgrade gstreamer1.0-plugins-bad on Debian/Ubuntu, or equivalent for your distribution). For custom applications using GStreamer SDK, recompile against the patched GStreamer library. Until patching is feasible, apply mitigations: disable or restrict the isomp4 plugin if not required (set GST_PLUGIN_SCANNER environment variable or use plugin registry configuration), restrict opening untrusted MP4 files by disabling media autoplay in applications, and run media applications with minimal privileges. Additionally, monitor the referenced Atredis advisory (https://github.com/atredispartners/advisories/blob/master/2025/ATREDIS-2025-0003.md) and VulDB entry (https://vuldb.com/?id.319188) for any updates on patching timelines or additional technical details.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today