GHSL-2024-238: GStreamer has NULL-pointer dereferences in MP4/MOV demuxer CENC handling
CVE-2024-47544

6.8MEDIUM

Key Information:

Vendor

Gstreamer

Status
Gstreamer
Vendor
CVE Published:
12 December 2024

What is CVE-2024-47544?

The GStreamer media handling library has a null dereference vulnerability in the function qtdemux_parse_sbgp located in qtdemux.c. This flaw occurs when processing certain media files, enabling potential crashes and instability in applications relying on GStreamer. The vulnerability has been addressed in version 1.24.10, which contains a fix to mitigate the risk associated with this exploitation path. Users are encouraged to update to the latest version to ensure security and stability.

Affected Version(s)

gstreamer < 1.24.10

References

https://securitylab.github.com/advisories/GHSL-2024-238_G...
x_refsource_CONFIRM
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merg...
x_refsource_MISC
https://gstreamer.freedesktop.org/security/sa-2024-0011.html
x_refsource_MISC

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

JSON
.