CVE-2024-47540

Name of the Vulnerable Software and Affected Versions GStreamer versions prior to 1.24.10

Description GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst matroska demux add wvpk header function within matroska-demux.c. When size < 4, the program calls gst buffer unmap with an uninitialized map variable. Then, in the gst memory unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem unmap full or mem->allocator->mem unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution.

Recommendations For versions prior to 1.24.10, update to version 1.24.10 to patch the issue and secure your system. As a temporary workaround, consider restricting the use of the gst matroska demux add wvpk header function until a patch is available. Avoid using the gst buffer unmap function with uninitialized map variables in the affected API endpoints until the issue is resolved.