cbcvebase.
CVE-2024-0444
published 2024-06-07

CVE-2024-0444: GStreamer AV1 Video Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary…

PriorityP259high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.56%
72.1th percentile
GStreamer AV1 Video Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of tile list data within AV1-encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22873.

Affected

3 ranges
VendorProductVersion rangeFixed in
debiangst-plugins-bad1.0< gst-plugins-bad1.0 1.22.0-4+deb12u5 (bookworm)gst-plugins-bad1.0 1.22.0-4+deb12u5 (bookworm)
gstreamergstreamer< 1.22.01.22.0
gstreamergstreamer

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered during parsing of tile list data within AV1-encoded video files — inspect/alert on AV1 video files being processed by GStreamer, particularly those with malformed tile list entries.
  • Attack vector involves a crafted AV1-encoded video file delivered to a user for processing — monitor for unexpected AV1 file ingestion by GStreamer-based applications, especially from remote/untrusted sources.
  • The vulnerable component is the AV1 codec plugin in GStreamer Bad Plugins (gst-plugins-bad). Confirm presence of the unpatched plugin on the system; on Debian bookworm the fix is in gst-plugins-bad 1.22.0-4+deb12u5 and on bullseye in 1.18.4-3+deb11u4.
  • Stack-based buffer overflow occurs in the AV1 tile list parsing code path — a crash (SIGSEGV/stack smash) in a GStreamer process while handling AV1 content is a strong indicator of exploitation attempts.
  • ·Attack vectors vary by implementation — any application embedding GStreamer and processing untrusted AV1 video (browsers, media players, video conferencing tools) is potentially in scope.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.