Out-of-Bounds Read in GStreamer Library
CVE-2024-47776

9.1CRITICAL

Key Information:

Vendor: Gstreamer Project
Status: Gstreamer
Vendor: CVE Published:; 12 December 2024

🔔 Create Gstreamer Project Vulnerability Alert

What is CVE-2024-47776?

An out-of-bounds read vulnerability exists in the GStreamer library, specifically in the function gst_wavparse_cue_chunk located in gstwavparse.c. This issue arises from a mismatch between the actual size of the data buffer and the expected size value provided within the function. When a condition evaluates incorrectly, this flaw can permit access beyond the limits of the data buffer during execution. The root cause is traced back to an error occurring while clipping the chunk size based on upstream data, which could allow an attacker to read past allocated memory. This exploitation may result in a denial of service, due to potential crashes, or could expose sensitive data inadvertently. The issue has been resolved in GStreamer version 1.24.10.

References

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merg...

https://gstreamer.freedesktop.org/security/sa-2024-0027.html

https://securitylab.github.com/advisories/GHSL-2024-260_G...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2024