cbcvebase.
CVE-2023-37328
published 2024-05-03

CVE-2023-37328: GStreamer PGS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code…

PriorityP258high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.81%
75.9th percentile
GStreamer PGS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of PGS subtitle files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-20994.

Affected

4 ranges
VendorProductVersion rangeFixed in
debiangst-plugins-base1.0< gst-plugins-base1.0 1.22.0-3+deb12u1 (bookworm)gst-plugins-base1.0 1.22.0-3+deb12u1 (bookworm)
gstreamergstreamer< 1.20.71.20.7
gstreamergstreamer
gstreamergstreamer>= 1.22.0 < 1.22.41.22.4

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability exists in the parsing of PGS subtitle files within GStreamer's subparse subtitle parser — monitor for processing of PGS subtitle files by GStreamer-based applications
  • Attack vector is a specially crafted PGS or SRT subtitle file delivered to a GStreamer-based application — flag suspicious subtitle file opens in media players or applications using gstreamer1-plugins-base / gstreamer-plugins-base
  • Heap-based buffer overflow in the subparse subtitle parser of GStreamer — look for heap corruption signals (crashes, abnormal memory usage) in processes loading subtitle files via gstreamer-plugins-base
  • ·Fixed versions vary by distribution — ensure gstreamer-plugins-base is patched to the appropriate version for the target platform before closing findings
  • ·Attack vectors may vary depending on the implementation — any application that uses the GStreamer library to process subtitle files is potentially in scope, not just dedicated media players

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.