PT-2024-9614 · Gstreamer+10 · Gstreamer+10

Antonio Morales

+1

·

Published

2024-09-26

·

Updated

2025-06-24

·

CVE-2024-47543

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions GStreamer versions prior to 1.24.10
Description A vulnerability has been discovered in the qtdemux parse container function within qtdemux.c, related to an out-of-bounds (OOB) read in memory. The issue arises from the parent function qtdemux parse node, where the value of length is not properly checked. If length is sufficiently large, it causes the pointer end to point beyond the boundaries of the buffer. This can trigger an OOB-read in the qtdemux parse container function, accessing memory beyond the bounds of the buffer. The vulnerability can result in reading up to 4 GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory.
Recommendations For GStreamer versions prior to 1.24.10, update to version 1.24.10 to resolve the issue. As a temporary workaround, consider restricting access to the qtdemux parse container function until a patch is available. Avoid using the qtdemux parse node function with large length values in the affected API endpoint until the issue is resolved.

Exploit

Fix

Out of bounds Read

Weakness Enumeration

CWE-125

Related Identifiers

ALSA-2025:7242
ALSA-2025_7242
ALT-PU-2025-2299
AZL-62369
BDU:2024-11326
CVE-2024-47543
DLA-4071-1
DSA-5838-1
INFSA-2025_7242
MGASA-2025-0040
OESA-2024-2592
OESA-2024-2593
OESA-2024-2594
OESA-2024-2595
OESA-2024-2596
OPENSUSE-SU-2024:14586-1
OPENSUSE-SU-2025_0055-1
OPENSUSE-SU-2025_0064-1
OPENSUSE-SU-2025_0067-1
RHSA-2025:7242
RHSA-2025_7242
SUSE-SU-2025:00063-1
SUSE-SU-2025:0055-1
SUSE-SU-2025:0063-1
SUSE-SU-2025:0064-1
SUSE-SU-2025:0067-1
SUSE-SU-2025:02055-1
SUSE-SU-2025_02055-1
USN-7176-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Debian
Gstreamer
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu