Null Pointer Dereference in id3v2_read_synch_uint Function
CVE-2024-47542

7.5HIGH

Key Information:

Vendor: Gstreamer
Status: Gstreamer
Vendor: CVE Published:; 12 December 2024

What is CVE-2024-47542?

A vulnerability exists in the GStreamer library due to a null pointer dereference encountered in the id3v2_read_synch_uint function within id3v2.c. When the function is invoked with a null reference for work->hdr.frame_data, it accesses the pointer guint8 *data without performing necessary validation checks. This oversight can lead to a segmentation fault, resulting in a Denial of Service (DoS) condition. Affected users of GStreamer should update to version 1.24.10 or higher to mitigate this vulnerability. For further details, refer to the official advisory and patches provided by the GStreamer development team.

Affected Version(s)

gstreamer < 1.24.10

References

https://securitylab.github.com/advisories/GHSL-2024-235_G...

x_refsource_CONFIRM

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merg...

x_refsource_MISC

https://gstreamer.freedesktop.org/security/sa-2024-0008.html

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2024
Vulnerability Reserved
Sep 25, 2024

Gstreamer

What is CVE-2024-47542?

Affected Version(s)

References

CVSS V3.1

Timeline