How to fix CVE-2025-47219?

Within 7 days: Identify all affected systems running GStreamer and apply vendor patches promptly. Monitor vendor channels for patch availability.

Is Gstreamer affected by CVE-2025-47219?

Organizations using GStreamer face notable risk from CVE-2025-47219, a out-of-bounds read vulnerability rated CVSS 8.1. Successful exploitation could significantly impact the confidentiality, integrity, or availability of affected systems.

CVE-2025-47219

HIGH

2025-08-07 [email protected]

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Apr 06, 2026 - 08:30 nvd

Patch available

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

PoC Detected

Mar 17, 2026 - 15:52 vuln.today

Public exploit code

CVE Published

Aug 07, 2025 - 20:15 nvd

HIGH 8.1

Description

In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_trak function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure.

Analysis

A heap buffer over-read vulnerability exists in GStreamer's isomp4 plugin that allows reading past allocated memory boundaries when parsing specially crafted MP4 files. This affects GStreamer through version 1.26.1 and can lead to information disclosure of heap memory contents. A public proof-of-concept exploit is available, though the EPSS score of 0.09% suggests relatively low exploitation likelihood in the wild.

Technical Context

GStreamer is a popular open-source multimedia framework used across Linux distributions and applications for audio/video processing. The vulnerability occurs in the qtdemux_parse_trak function within the isomp4 plugin, which is responsible for parsing MP4/MOV container formats. This is a classic CWE-125 out-of-bounds read vulnerability where the parser fails to properly validate buffer boundaries when processing track atom data in MP4 files. The affected product is identified as cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:* for versions up to and including 1.26.1.

Affected Products

GStreamer versions through 1.26.1 are affected by this vulnerability, specifically within the isomp4 plugin component used for MP4/MOV file parsing. The vulnerability is confirmed via CPE cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:* and affects all platforms where GStreamer is deployed. The vendor has acknowledged the issue on their security page at https://gstreamer.freedesktop.org/security/. Additional technical details are available in the Atredis Partners advisory at https://github.com/atredispartners/advisories/blob/master/2025/ATREDIS-2025-0003.md.

Remediation

Upgrade GStreamer to a version newer than 1.26.1 once a patched release becomes available from the vendor. Monitor the official GStreamer security page at https://gstreamer.freedesktop.org/security/ for patch announcements. As a temporary mitigation, consider restricting processing of untrusted MP4 files or implementing input validation before passing files to GStreamer-based applications. Organizations using GStreamer in production should assess which applications depend on the isomp4 plugin and prioritize patching based on exposure to untrusted media files.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +40

POC: +20

Vendor Status

CVE-2025-47219 vulnerability details – vuln.today

Back

CVE-2025-47219

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-47219

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code