CVE-2024-47602 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-47602

CVE-2024-47602

December 11, 2024

GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. This function does not properly check the validity of the stream->codec_priv pointer in the following code. If stream->codec_priv is NULL, the call to GST_READ_UINT16_LE will attempt to dereference a null pointer, leading to a crash of the application. This vulnerability is fixed in 1.24.10.

Related Resources (5)

https://lists.debian.org/debian-lts-announce/2025/02/msg00035.html

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8057.patch

https://securitylab.github.com/advisories/GHSL-2024-250_Gstreamer/

https://security-tracker.debian.org/tracker/CVE-2024-47602

https://gstreamer.freedesktop.org/security/sa-2024-0019.html

Do you need more information?

CVSS v4

Base Score:

6.8

Attack Vector

LOCAL

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

NONE

Vulnerable System Integrity

NONE

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Weakness Type (CWE)

NULL Pointer Dereference

CWE-476

Out-of-bounds Read

CWE-125

EPSS

Base Score:

0.08

Products

Solutions

Resources

Company

Compare

Developer Tools