CVE-2024-47540
HIGH EPSS 58.3%
Published Dec 12, 20241y ago · Modified Jun 17, 20261w ago
8.6 CVSS 4.0
Published Dec 12, 2024 1y ago
Last Modified Jun 17, 2026 1w ago
Description
GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
58.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 2
CWE-457
CWE-908
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| gstreamer | gstreamer | * | <1.24.10 |
References 4
- gitlab.freedesktop.org https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057.patch
- gstreamer.freedesktop.org https://gstreamer.freedesktop.org/security/sa-2024-0017.html
- lists.debian.org https://lists.debian.org/debian-lts-announce/2025/02/msg00035.html
- securitylab.github.com https://securitylab.github.com/advisories/GHSL-2024-197_GStreamer/
Remediation
- gitlab.freedesktop.org https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057.patch