Skip to main content

In GStreamer CVE-2025-47219

HIGH
Out-of-bounds Read (CWE-125)
2025-08-07 cve@mitre.org
Information Disclosure Buffer Overflow
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.6 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Apr 06, 2026 - 08:30 nvd
Patch available
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
PoC Detected
Mar 17, 2026 - 15:52 vuln.today
Public exploit code
CVE Published
Aug 07, 2025 - 20:15 nvd
HIGH 8.1

DescriptionCVE.org

In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_trak function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure.

AnalysisAI

A heap buffer over-read vulnerability exists in GStreamer's isomp4 plugin that allows reading past allocated memory boundaries when parsing specially crafted MP4 files. This affects GStreamer through version 1.26.1 and can lead to information disclosure of heap memory contents. A public proof-of-concept exploit is available, though the EPSS score of 0.09% suggests relatively low exploitation likelihood in the wild.

Technical ContextAI

GStreamer is a popular open-source multimedia framework used across Linux distributions and applications for audio/video processing. The vulnerability occurs in the qtdemux_parse_trak function within the isomp4 plugin, which is responsible for parsing MP4/MOV container formats. This is a classic CWE-125 out-of-bounds read vulnerability where the parser fails to properly validate buffer boundaries when processing track atom data in MP4 files. The affected product is identified as cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:* for versions up to and including 1.26.1.

RemediationAI

Upgrade GStreamer to a version newer than 1.26.1 once a patched release becomes available from the vendor. Monitor the official GStreamer security page at https://gstreamer.freedesktop.org/security/ for patch announcements. As a temporary mitigation, consider restricting processing of untrusted MP4 files or implementing input validation before passing files to GStreamer-based applications. Organizations using GStreamer in production should assess which applications depend on the isomp4 plugin and prioritize patching based on exposure to untrusted media files.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Module for Basesystem 15 SP6 Fixed

Share

CVE-2025-47219 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy