CVE-2024-47607 HIGH

CVE-2024-47607: GHSL-2024-116: Stack-buffer overflow in gst_opus_dec_parse_header

Vendor Gstreamer
Product gstreamer
Weakness CWE-121
Published December 11, 2024
Last update November 3, 2025

CVSS base score

8.6/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

GStreamer is a library for constructing graphs of media-handling components. stack-buffer overflow has been detected in the gst_opus_dec_parse_header function within `gstopusdec.c'. The pos array is a stack-allocated buffer of size 64. If n_channels exceeds 64, the for loop will write beyond the boundaries of the pos array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This bug allows to overwrite the EIP address allocated in the stack. This vulnerability is fixed in 1.24.10.

Key dates

02Disclosure timeline

December 11, 2024 CVE published
November 3, 2025 Record updated

Related vulnerabilities

04Related CVE