GHSL-2024-249: GStreamer has a NULL-pointer dereference in Matroska/WebM demuxer
CVE-2024-47601

7.5HIGH

Key Information:

Vendor: Gstreamer
Status: Gstreamer
Vendor: CVE Published:; 12 December 2024

What is CVE-2024-47601?

The GStreamer library, widely used for constructing media-handling components, has experienced a vulnerability within its parsing function. Specifically, the gst_matroska_demux_parse_blockgroup_or_simpleblock function in matroska-demux.c contains a flaw that does not adequately validate the GstBuffer *sub pointer prior to dereferencing. This oversight can lead to potential null pointer dereferences, posing a risk for stability and security within applications reliant on this library. An update to version 1.24.10 is crucial to mitigate this vulnerability.

Affected Version(s)

gstreamer < 1.24.10

References

https://securitylab.github.com/advisories/GHSL-2024-249_G...

x_refsource_CONFIRM

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merg...

x_refsource_MISC

https://gstreamer.freedesktop.org/security/sa-2024-0020.html

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2024

Gstreamer

What is CVE-2024-47601?

Affected Version(s)

References

CVSS V3.1

Timeline