CVE-2024-47538 in GStreamer
Summary
by MITRE • 12/12/2024
GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the `vorbis_handle_identification_packet` function within `gstvorbisdec.c`. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array. The value written will always be `GST_AUDIO_CHANNEL_POSITION_NONE`. This vulnerability allows someone to overwrite the EIP address allocated in the stack. Additionally, this bug can overwrite the `GstAudioInfo` info structure. This vulnerability is fixed in 1.24.10.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/17/2026
The vulnerability identified as CVE-2024-47538 represents a critical stack-based buffer overflow within the GStreamer multimedia framework, specifically affecting the vorbis audio decoder component. This flaw exists in the `vorbis_handle_identification_packet` function located in `gstvorbisdec.c`, where a stack-allocated buffer named position is limited to 64 elements. The vulnerability arises from inadequate bounds checking when processing audio channel information from vorbis-encoded media files. When the `vd->vi.channels` value exceeds the allocated buffer size of 64, the subsequent for loop executes beyond the buffer boundaries, leading to memory corruption that can be exploited by malicious actors to manipulate program execution flow.
The technical exploitation of this vulnerability leverages the predictable nature of the buffer overflow to overwrite critical memory structures within the program's stack. The overflow specifically targets the instruction pointer (EIP) register, which controls program execution flow, allowing attackers to redirect code execution to arbitrary memory locations. Additionally, the vulnerability can corrupt the `GstAudioInfo` structure, which contains essential audio format information and metadata. This dual impact on both execution control and data integrity creates a particularly dangerous scenario where attackers can not only gain remote code execution capabilities but also potentially manipulate audio processing behavior. The overflow occurs because the code writes `GST_AUDIO_CHANNEL_POSITION_NONE` values beyond the 64-element boundary, which can overwrite adjacent stack variables and function return addresses.
The operational impact of this vulnerability extends beyond simple code execution, as it affects the core multimedia processing capabilities of applications built on GStreamer. Systems utilizing affected versions of GStreamer for audio processing, streaming, or media playback are at risk of arbitrary code execution when processing maliciously crafted vorbis audio files. This vulnerability is particularly concerning in environments where users might encounter untrusted media content, such as web browsers, media players, or content management systems that process user-uploaded audio files. The exploitation scenario typically requires an attacker to craft a specially formatted vorbis audio file that triggers the vulnerable code path, making this a remote code execution vulnerability that can be delivered through various attack vectors including web downloads, email attachments, or media sharing platforms.
The vulnerability aligns with CWE-121 Stack-based Buffer Overflow, which is categorized under the Common Weakness Enumeration framework as a fundamental memory safety issue. This weakness type specifically addresses buffer overflows that occur in stack-allocated memory, making it a direct match for the identified flaw in the GStreamer implementation. From an attack perspective, this vulnerability maps to ATT&CK technique T1059.007 for command and scripting interpreter, as successful exploitation would enable attackers to execute arbitrary commands on the target system. The remediation approach requires immediate deployment of GStreamer version 1.24.10 or later, which includes proper bounds checking to prevent the overflow condition. Organizations should also implement additional defensive measures such as input validation for media files, sandboxing of media processing components, and regular security updates to protect against similar vulnerabilities in the broader multimedia processing ecosystem.