GStreamer AV1 Video Parsing Buffer Overflow Vulnerability Allows Remote Code Execution
CVE-2024-0444

8.8HIGH

Key Information:

Vendor

Gstreamer

Status
Gstreamer
Vendor
CVE Published:
7 June 2024

Badges

đź“° News Worthy

What is CVE-2024-0444?

The vulnerability CVE-2024-0444 is a critical buffer overflow vulnerability in the GStreamer AV1 video parsing, with a high CVSS score of 7.5, indicating its severe impact. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. The issue arises from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. Exploitation requires interaction with this library, but the attack vectors can vary depending on the implementation. Currently, there are no known exploitations in the wild, particularly by ransomware groups. However, organizations using GStreamer are strongly encouraged to apply any patches or updates promptly to mitigate the risk.

Affected Version(s)

GStreamer ea6d602ccacee5f4bdf45b9f58eb0dc5320f3c07

News Articles

favicon imageSystemTek

GStreamer AV1 Video Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability [CVE-2024-0444]

CVE number = CVE-2024-0444 CVSS Score = 7.5 This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit...

References

https://www.zerodayinitiative.com/advisories/ZDI-24-567/
x_research-advisory
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/comm...
vendor-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • đź“°

    First article discovered by SystemTek

  • Vulnerability Reserved

.