GHSL-2024-249: GStreamer has a NULL-pointer dereference in Matroska/WebM demuxer
CVE-2024-47601

6.8MEDIUM

Key Information:

Vendor

Gstreamer

Status
Gstreamer
Vendor
CVE Published:
12 December 2024

What is CVE-2024-47601?

The GStreamer library, widely used for constructing media-handling components, has experienced a vulnerability within its parsing function. Specifically, the gst_matroska_demux_parse_blockgroup_or_simpleblock function in matroska-demux.c contains a flaw that does not adequately validate the GstBuffer *sub pointer prior to dereferencing. This oversight can lead to potential null pointer dereferences, posing a risk for stability and security within applications reliant on this library. An update to version 1.24.10 is crucial to mitigate this vulnerability.

Affected Version(s)

gstreamer < 1.24.10

References

https://securitylab.github.com/advisories/GHSL-2024-249_G...
x_refsource_CONFIRM
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merg...
x_refsource_MISC
https://gstreamer.freedesktop.org/security/sa-2024-0020.html
x_refsource_MISC

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

JSON
.