Memory Handling Flaw in GStreamer Affects Multiple Versions
CVE-2021-3497

7.8HIGH

Key Information:

Vendor

Gstreamer Project

Status
Gstreamer-plugins-good
Vendor
CVE Published:
19 April 2021

What is CVE-2021-3497?

The GStreamer multimedia framework, prior to version 1.18.4, contains a memory handling vulnerability that occurs when the system processes malformed Matroska files. Specifically, the vulnerability stems from the potential access to memory that has already been freed in certain error code paths during the demuxing process. This can lead to unpredictable behavior, including application crashes or the execution of arbitrary code, particularly when handling maliciously crafted media files.

Affected Version(s)

gstreamer-plugins-good gstreamer-plugins-good 1.18.4

References

https://bugzilla.redhat.com/show_bug.cgi?id=1945339
x_refsource_MISC
https://gstreamer.freedesktop.org/security/sa-2021-0002.html
x_refsource_MISC
https://www.debian.org/security/2021/dsa-4900
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.