CVE-2024-47606Integer Overflow or Wraparound in Gstreamer

CWE-190Integer Overflow or WraparoundCWE-191Integer Underflow (Wrap or Wraparound)10 documents7 sources
Severity
8.6HIGHNVD
EPSS
0.3%
top 43.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
GstreamerDebian Gst-plugins-good1.0Debian Gstreamer1.0+1 more
Timeline
PublishedDec 12
Latest updateJul 16

Description

GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffe

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

NVDgstreamer/gstreamer< 1.24.10
debiandebian/gstreamer1.0< gst-plugins-good1.0 1.22.0-5+deb12u2 (bookworm)
debiandebian/gst-plugins-good1.0< gst-plugins-good1.0 1.22.0-5+deb12u2 (bookworm)

Also affects: Debian Linux 11.0

Patches

Patch: gitlab.freedesktop.org

🔴Vulnerability Details

1
OSV
CVE-2024-47606: GStreamer is a library for constructing graphs of media-handling components2024-12-12

📋Vendor Advisories

6
Oracle
Oracle Oracle Communications Risk Matrix: Tools (Oracle Java SE) — CVE-2024-476062025-07-15
Oracle
Oracle Oracle Java SE Risk Matrix: JavaFX (gstreamer) — CVE-2024-476062025-04-15
Ubuntu
GStreamer Good Plugins vulnerabilities2024-12-18
Ubuntu
GStreamer vulnerability2024-12-18
Red Hat
gstreamer1-plugins-good: integer overflows in MP4/MOV demuxer and memory allocator that can lead to out-of-bounds writes2024-12-11

🕵️Threat Intelligence

2
Qualys
Oracle Critical Patch Update, July 2025 Security Update Review2025-07-16
Qualys
Oracle Critical Patch Update, July 2025 Security Update Review | Qualys2025-07-16