CVE-2024-47540
GHSL-2024-197: GStreamer uses uninitialized stack memory in Matroska/WebM demuxer
Severity Score
Exploit Likelihood
Affected Versions
1Public Exploits
0Exploited in Wild
-Decision
Descriptions
GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10.
A flaw was found in the Matroska/WebM demuxer in the GStreamer library. Processing a specially crafted input file can cause the usage of uninitialized stack memory, allowing calls to uninitialized function pointers, potentially resulting in code execution or an application crash.
Multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-09-25 CVE Reserved
- 2024-12-11 CVE Published
- 2024-12-12 CVE Updated
- 2025-04-12 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-457: Use of Uninitialized Variable
CAPEC
References (5)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|