GStreamer PGS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
CVE-2023-37328

8.8HIGH

Key Information:

Vendor: Gstreamer
Status: Gstreamer
Vendor: CVE Published:; 3 May 2024

What is CVE-2023-37328?

A vulnerability exists in the GStreamer media processing library during the parsing of PGS subtitle files. This flaw is characterized by insufficient validation of user-supplied data length before copying it to a heap-based buffer, leading to a potential buffer overflow condition. As a result, remote attackers can exploit this vulnerability, allowing them to execute arbitrary code within the context of the application using the affected library. The variety of attack vectors depends on how GStreamer is implemented within different applications.

Affected Version(s)

GStreamer 1.22 and latest commit 6dff93acf69c40271a769aa2fa35efbcc2aeb9b4

References

https://www.zerodayinitiative.com/advisories/ZDI-23-901/

x_research-advisory

https://gstreamer.freedesktop.org/security/sa-2023-0003.html

vendor-advisory

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
Jun 30, 2023

JSON

Gstreamer

What is CVE-2023-37328?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline