CVE-2024-47778Out-of-bounds Read in Gstreamer

CWE-125Out-of-bounds Read12 documents8 sources
Severity
5.1MEDIUMNVD
EPSS
0.1%
top 65.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GstreamerDebian Gst-plugins-good1.0
Timeline
PublishedMar 23
Latest updateApr 13

Description

An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function. The patch added a size validation check lsize + 8 > size, but it does not account for the GST_ROUND_UP_2(lsize) used in the actual offset calculation. When lsize is an odd number, the parser advances more bytes than validated, causing OOB read.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LExploitability: 2.5 | Impact: 2.5

Affected Packages2 packages

NVDgstreamer/gstreamer< 1.24.10
debiandebian/gst-plugins-good1.0< gst-plugins-good1.0 1.22.0-5+deb12u2 (bookworm)+1

🔴Vulnerability Details

4
VulDB
GStreamer Incomplete Fix CVE-2024-47778 gst_wavparse_adtl_chunk out-of-bounds (ID 4854 / WID-SEC-2026-0525)2026-04-13
GHSA
GHSA-9wvw-r6fm-6wwv: An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function2026-03-24
OSV
CVE-2026-1940: An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavparse_adtl_chunk() function2026-03-23
OSV
CVE-2024-47778: GStreamer is a library for constructing graphs of media-handling components2024-12-12

📋Vendor Advisories

5
Red Hat
gstreamer: incomplete fix of CVE-2026-19402026-02-25
Debian
CVE-2026-1940: gst-plugins-good1.0 - An incomplete fix for CVE-2024-47778 allows an out-of-bounds read in gst_wavpars...2026
Ubuntu
GStreamer Good Plugins vulnerabilities2024-12-18
Red Hat
gstreamer1-plugins-good: OOB-read in gst_wavparse_adtl_chunk2024-12-11
Debian
CVE-2024-47778: gst-plugins-good1.0 - GStreamer is a library for constructing graphs of media-handling components. An ...2024

🕵️Threat Intelligence

1
Wiz
CVE-2026-1940 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2024-47778 — Out-of-bounds Read in Gstreamer | cvebase