PT-2024-9621 · Gstreamer+10 · Gstreamer+10

Antonio Morales

+1

·

Published

2024-09-27

·

Updated

2025-05-14

·

CVE-2024-47598

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Name of the Vulnerable Software and Affected Versions GStreamer versions prior to 1.24.10
Description A vulnerability has been discovered in the qtdemux merge sample table function within qtdemux.c, which is part of the GStreamer library. This issue is related to an out-of-bounds (OOB) read in memory. The problem arises because the size of the stts buffer is not properly checked before reading stts duration, allowing the program to read 4 bytes beyond the boundaries of stts->data. This can lead to a denial of service. The vulnerability can be exploited by a remote attacker.
Recommendations For versions prior to 1.24.10, update to version 1.24.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the qtdemux merge sample table function until a patch is applied. Avoid using the stts duration variable in the affected function until the issue is resolved.

Exploit

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

ALSA-2025:7242
ALSA-2025_7242
ALT-PU-2025-2299
AZL-62345
BDU:2024-11333
CVE-2024-47598
DLA-4071-1
DSA-5838-1
INFSA-2025_7242
MGASA-2025-0040
OESA-2024-2596
OPENSUSE-SU-2024:14578-1
OPENSUSE-SU-2025_0055-1
OPENSUSE-SU-2025_0064-1
OPENSUSE-SU-2025_0067-1
RHSA-2025:7242
RHSA-2025_7242
SUSE-SU-2025:0055-1
SUSE-SU-2025:0064-1
SUSE-SU-2025:0067-1
USN-7176-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Debian
Gstreamer
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu