cbcvebase.
CVE-2023-50186
published 2024-05-03

CVE-2023-50186: GStreamer AV1 Video Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary…

PriorityP259high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.53%
71.7th percentile
GStreamer AV1 Video Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of metadata within AV1 encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22300.

Affected

3 ranges
VendorProductVersion rangeFixed in
debiangst-plugins-bad1.0< gst-plugins-bad1.0 1.22.0-4+deb12u4 (bookworm)gst-plugins-bad1.0 1.22.0-4+deb12u4 (bookworm)
gstreamergstreamer< 1.22.81.22.8
gstreamergstreamer

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability exists in the AV1 video parser within GStreamer's gstreamer-plugins-bad. Detection should focus on processing of AV1 encoded video files, specifically metadata parsing where user-supplied length is not validated before copying to a fixed-length stack-based buffer.
  • Attack vector is remote and requires the target to interact with (open/parse) a malformed AV1 encoded video file via an application using the GStreamer AV1 codec plugin (gstreamer-plugins-bad / gstreamer1-plugins-bad-free).
  • Monitor applications using the GStreamer AV1 codec plugin for crashes or unexpected code execution when opening media files — a crash may indicate exploitation attempt or successful exploit.
  • ·RHEL 7 and RHEL 8 are NOT affected because their GStreamer versions do not include the AV1 parser; no detection or patching action needed on those platforms.
  • ·On Ubuntu, only Ubuntu 22.04 LTS is affected by CVE-2023-50186; other Ubuntu releases are not impacted.
  • ·On Debian, the vulnerability is resolved in gstreamer1.0-plugins-bad 1.22.0-4+deb12u4 (bookworm), 1.22.8-1 (forky/trixie/sid). Ensure patched versions are deployed.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.