PT-2024-10370 · Gstreamer+10 · Gstreamer+10

Antonio Morales

+1

·

Published

2024-12-11

·

Updated

2026-05-08

·

CVE-2024-47545

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions GStreamer versions prior to 1.24.10
Description The issue is related to an integer underflow in the qtdemux parse trak function within qtdemux.c. This underflow can occur during the strf parsing case when the subtraction size -= 40 results in a negative value if it is less than 40. As a consequence, the subsequent call to gst buffer fill invokes memcpy with a large copy size, leading to an out-of-bounds (OOB) read. This can potentially allow a remote attacker to execute arbitrary code.
Recommendations For versions prior to 1.24.10, update to version 1.24.10 or later to resolve the issue. As a temporary workaround, consider restricting the use of the qtdemux parse trak function until a patch is available.

Exploit

Fix

DoS

Integer Underflow

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-191CWE-190

Related Identifiers

ALSA-2025:7242
ALSA-2025_7242
ALT-PU-2025-2299
AZL-62357
BDU:2025-00875
BIT-JAVA-2024-47545
BIT-JAVA-MIN-2024-47545
BIT-JRE-2024-47545
CVE-2024-47545
DLA-4071-1
DSA-5838-1
INFSA-2025_7242
MGASA-2025-0040
OESA-2024-2592
OESA-2024-2593
OESA-2024-2594
OESA-2024-2595
OESA-2024-2596
OESA-2025-2615
OPENSUSE-SU-2025_0055-1
OPENSUSE-SU-2025_0064-1
OPENSUSE-SU-2025_0067-1
RHSA-2025:7242
RHSA-2025_7242
SUSE-SU-2025:00063-1
SUSE-SU-2025:0055-1
SUSE-SU-2025:0063-1
SUSE-SU-2025:0064-1
SUSE-SU-2025:0067-1
SUSE-SU-2025:02055-1
SUSE-SU-2025_02055-1
USN-7176-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Debian
Gstreamer
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu