Null Pointer Dereference in GStreamer Library Affecting Media Components
CVE-2024-47599

6.8MEDIUM

Key Information:

Vendor

Gstreamer

Status
Gstreamer
Vendor
CVE Published:
12 December 2024

What is CVE-2024-47599?

A null pointer dereference vulnerability has been identified within the GStreamer library, specifically in the gst_jpeg_dec_negotiate function found in gstjpegdec.c. The vulnerability arises when the function fails to verify a NULL return from gst_video_decoder_set_output_state, leading to a subsequent dereference of the outstate pointer. This oversight can result in a segmentation fault, ultimately causing a Denial of Service (DoS) condition. Users are advised to upgrade to version 1.24.10 or later, where this issue has been addressed.

Affected Version(s)

gstreamer < 1.24.10

References

https://securitylab.github.com/advisories/GHSL-2024-247_G...
x_refsource_CONFIRM
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merg...
x_refsource_MISC
https://gstreamer.freedesktop.org/security/sa-2024-0016.html
x_refsource_MISC

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

JSON
.