GHSL-2024-250: Streamer NULL-pointer dereferences and out-of-bounds reads in Matroska/WebM demuxer
CVE-2024-47602

6.8MEDIUM

Key Information:

Vendor

Gstreamer

Status
Gstreamer
Vendor
CVE Published:
12 December 2024

What is CVE-2024-47602?

A null pointer dereference vulnerability exists in the gst_matroska_demux_add_wvpk_header function within the GStreamer library. This issue arises from insufficient validation of the stream->codec_priv pointer. If this pointer is NULL, a subsequent call to GST_READ_UINT16_LE will attempt to dereference it. This situation can cause the application utilizing GStreamer to crash unexpectedly. The vulnerability has been addressed in version 1.24.10 of GStreamer, ensuring proper checks are in place to prevent such dereferences.

Affected Version(s)

gstreamer < 1.24.10

References

https://securitylab.github.com/advisories/GHSL-2024-250_G...
x_refsource_CONFIRM
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merg...
x_refsource_MISC
https://gstreamer.freedesktop.org/security/sa-2024-0019.html
x_refsource_MISC

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

JSON
.