GStreamer Vulnerability Could Allow Access to Process Memory
CVE-2024-47543

5.1MEDIUM

Key Information:

Vendor

Gstreamer

Status
Gstreamer
Vendor
CVE Published:
12 December 2024

What is CVE-2024-47543?

An out-of-bounds read vulnerability has been identified in the qtdemux_parse_container function within GStreamer's qtdemux.c file. The issue arises due to insufficient validation of the length parameter in the parent function qtdemux_parse_node, which may allow a pointer to exceed the buffer's boundaries. This condition can lead to the while loop in qtdemux_parse_container accessing memory outside valid limits, potentially reading up to 4GB of process memory. This vulnerability may also trigger a segmentation fault (SEGV) when attempting to access invalid memory. A fix for this issue is implemented in version 1.24.10.

Affected Version(s)

gstreamer < 1.24.10

References

https://securitylab.github.com/advisories/GHSL-2024-236_G...
x_refsource_CONFIRM
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merg...
x_refsource_MISC
https://gstreamer.freedesktop.org/security/sa-2024-0009.html
x_refsource_MISC

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.