Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2024-47540

Public on 2024-12-12
Modified on 2024-12-23
Description

GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10.

Severity
Important
See what this means
CVSS v3 Base Score
7.3
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Core gstreamer1-plugins-good 2025-02-26 22:35 ALAS2-2025-2776
Amazon Linux 2 - Core gstreamer1-plugins-good 2025-01-30 22:56 ALAS2-2025-2748

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
NVD CVSSv3 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2024-47540 Mitre: CVE-2024-47540 FAQs regarding Amazon Linux ALAS/CVE Severity