PT-2024-6079 · Gstreamer+6 · Gstreamer+6

Michael Randrianantenaina

Published

2024-01-24

Updated

2025-06-05

CVE-2024-0444

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions GStreamer versions prior to 1.22.9

Description This issue allows remote attackers to execute arbitrary code on affected installations of GStreamer. The specific flaw exists within the parsing of tile list data within AV1-encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

Recommendations For versions prior to 1.22.9, update to version 1.22.9 or later to resolve the issue. As a temporary workaround, consider restricting the use of AV1-encoded video files until a patch is available. Avoid using the tile list data parsing functionality in the affected AV1 codec parser until the issue is resolved.

Fix

RCE

Memory Corruption

Stack Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787CWE-121

Related Identifiers

ALSA-2025:7178

BDU:2024-06904

CVE-2024-0444

DSA-5608-1

INFSA-2025_7178

MGASA-2024-0119

OPENSUSE-SU-2024:13649-1

RHSA-2025:18416

RHSA-2025:7178

RHSA-2025_7178

USN-7558-1

ZDI-24-567

Affected Products

Almalinux

Astra Linux

Gstreamer

Linuxmint

Red Hat

Rocky Linux

Ubuntu

PT-2024-6079 · Gstreamer+6 · Gstreamer+6

CVE-2024-0444

Weakness Enumeration

Related Identifiers

Affected Products

References · 43