Null Pointer Dereference in id3v2_read_synch_uint Function
CVE-2024-47542

6.8MEDIUM

Key Information:

Vendor

Gstreamer

Status
Gstreamer
Vendor
CVE Published:
12 December 2024

What is CVE-2024-47542?

A vulnerability exists in the GStreamer library due to a null pointer dereference encountered in the id3v2_read_synch_uint function within id3v2.c. When the function is invoked with a null reference for work->hdr.frame_data, it accesses the pointer guint8 *data without performing necessary validation checks. This oversight can lead to a segmentation fault, resulting in a Denial of Service (DoS) condition. Affected users of GStreamer should update to version 1.24.10 or higher to mitigate this vulnerability. For further details, refer to the official advisory and patches provided by the GStreamer development team.

Affected Version(s)

gstreamer < 1.24.10

References

https://securitylab.github.com/advisories/GHSL-2024-235_G...
x_refsource_CONFIRM
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merg...
x_refsource_MISC
https://gstreamer.freedesktop.org/security/sa-2024-0008.html
x_refsource_MISC

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.