GStreamer AV1 Video Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
CVE-2023-50186

8.8HIGH

Key Information:

Vendor: Gstreamer
Status: Gstreamer
Vendor: CVE Published:; 3 May 2024

What is CVE-2023-50186?

A vulnerability exists in the GStreamer Media Framework related to the parsing of AV1 encoded video files. The flaw arises from insufficient validation of the user-supplied data length before it is copied to a fixed-length stack-based buffer. This weakness enables remote attackers to potentially execute arbitrary code within the current process context by exploiting the metadata parsing errors, thereby compromising system integrity. Interaction with the affected GStreamer installations is necessary for successful exploitation. Comprehensive patching and detection strategies are recommended to mitigate risks associated with this vulnerability.

Affected Version(s)

GStreamer bd4a9fde89e2549887e8a77d22ab027bed70d743

References

https://www.zerodayinitiative.com/advisories/ZDI-24-368/

x_research-advisory

https://gstreamer.freedesktop.org/security/sa-2023-0011.html

vendor-advisory

EPSS Score

9% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 3, 2024

JSON

Gstreamer

What is CVE-2023-50186?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline