Null Pointer Dereference in GStreamer Media Library
CVE-2024-47603

7.5HIGH

Key Information:

Vendor: Gstreamer Project
Status: Gstreamer
Vendor: CVE Published:; 12 December 2024

🔔 Create Gstreamer Project Vulnerability Alert

What is CVE-2024-47603?

The GStreamer media handling library contains a null pointer dereference vulnerability located in the gst_matroska_demux_update_tracks function of the matroska-demux.c file. This vulnerability arises when the gst_caps_is_equal function is invoked with invalid capabilities values, leading to a subsequent call to gst_buffer_get_size that may return a null pointer. When the size field of this null pointer is dereferenced, it results in a null pointer dereference, potentially causing application crashes or other unintended behaviors. This issue has been addressed in version 1.24.10 of GStreamer, and users are advised to update their installations to mitigate the risk.

References

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merg...

https://gstreamer.freedesktop.org/security/sa-2024-0021.html

https://securitylab.github.com/advisories/GHSL-2024-251_G...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2024