cbcvebase.
CVE-2023-44429
published 2024-05-03

CVE-2023-44429: GStreamer AV1 Codec Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary…

PriorityP259high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
2.19%
80.2th percentile
GStreamer AV1 Codec Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of AV1 encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22226.

Affected

3 ranges
VendorProductVersion rangeFixed in
debiangst-plugins-bad1.0< gst-plugins-bad1.0 1.22.0-4+deb12u3 (bookworm)gst-plugins-bad1.0 1.22.0-4+deb12u3 (bookworm)
gstreamergstreamer< 1.22.71.22.7
gstreamergstreamer

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability exists in AV1 encoded video file parsing within GStreamer's AV1 codec parser — monitor for processing of malformed AV1 video streams that trigger heap-based buffer overflow conditions
  • Target process is the application loading GStreamer's AV1 codec parser library (gstreamer1-plugins-bad-free / gstreamer-plugins-bad-free); monitor for unexpected crashes or heap corruption in processes using this library when handling AV1 media
  • GStreamer versions >= 1.17 introduced the AV1 parser and are vulnerable; versions < 1.17 do not contain the vulnerable code path — use version detection to identify exposed hosts
  • A malicious third party could deliver a crafted AV1 stream to trigger crash and potential heap manipulation for code execution — inspect AV1 media files/streams delivered from untrusted sources
  • ·Attack vectors vary depending on the implementation — any application that uses GStreamer to process AV1 video (e.g., media players, video conferencing, browsers with GStreamer backend) is potentially exposed
  • ·Fixed versions are: Debian bookworm 1.22.0-4+deb12u3, bullseye 1.18.4-3+deb11u3, sid/trixie/forky 1.22.7-1 — patch status should be verified against these baselines

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.