GStreamer PGS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
CVE-2023-37328

8.8HIGH

Key Information:

Vendor

Gstreamer

Status
Gstreamer
Vendor
CVE Published:
3 May 2024

What is CVE-2023-37328?

A vulnerability exists in the GStreamer media processing library during the parsing of PGS subtitle files. This flaw is characterized by insufficient validation of user-supplied data length before copying it to a heap-based buffer, leading to a potential buffer overflow condition. As a result, remote attackers can exploit this vulnerability, allowing them to execute arbitrary code within the context of the application using the affected library. The variety of attack vectors depends on how GStreamer is implemented within different applications.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

GStreamer 1.22 and latest commit 6dff93acf69c40271a769aa2fa35efbcc2aeb9b4

References

https://www.zerodayinitiative.com/advisories/ZDI-23-901/
x_research-advisory
https://gstreamer.freedesktop.org/security/sa-2023-0003.html
vendor-advisory

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

CVSS V3.0

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.