CVE-2024-47600 Overview
CVE-2024-47600 is an out-of-bounds read vulnerability discovered in GStreamer, a widely-used open-source multimedia framework for constructing graphs of media-handling components. The vulnerability exists in the format_channel_mask function within gst-discoverer.c, where improper bounds checking allows an attacker to read memory beyond the intended buffer boundaries.
The vulnerability affects the local position array, which is defined with a fixed size of 64 elements. However, the function gst_discoverer_audio_info_get_channels may return a guint channels value greater than 64. This causes the for loop to attempt access beyond the bounds of the position array, resulting in an out-of-bounds read when an index greater than 63 is used.
Critical Impact
This vulnerability can result in reading unintended bytes from the stack. Additionally, the dereference of value->value_nick after the OOB-read can lead to further memory corruption or undefined behavior, potentially exposing sensitive information or causing application crashes.
Affected Products
- GStreamer versions prior to 1.24.10
- Linux distributions shipping vulnerable GStreamer versions (including Debian)
- Applications utilizing GStreamer's audio discovery functionality
Discovery Timeline
- 2024-12-12 - CVE CVE-2024-47600 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2024-47600
Vulnerability Analysis
This out-of-bounds read vulnerability (CWE-125) stems from an inadequate boundary check in the media discovery component of GStreamer. The format_channel_mask function processes audio channel information using a fixed-size array that assumes a maximum of 64 audio channels. When media files contain metadata indicating more than 64 channels, the function iterates beyond the array bounds, reading arbitrary stack memory.
The exploitation requires local access to the system and involves crafting or providing a malicious media file with specially constructed audio channel metadata. While the attack complexity is low and requires no special privileges, the impact is limited to information disclosure and potential application instability rather than complete system compromise.
Root Cause
The root cause lies in the mismatch between the fixed-size position array (64 elements) and the dynamic value returned by gst_discoverer_audio_info_get_channels(). The code fails to validate that the channel count does not exceed the array bounds before iterating through the loop. This classic bounds-checking omission allows the loop counter to exceed index 63, causing reads from unallocated stack memory.
Attack Vector
The attack vector requires local access where an attacker can supply a crafted media file to an application using GStreamer's discovery functionality. The malicious file would contain audio stream metadata specifying a channel count exceeding 64. When the application attempts to discover and analyze the media file's properties, the vulnerable function processes the excessive channel count without validation, triggering the out-of-bounds memory read.
The vulnerability can be triggered through any application that uses GStreamer's media discovery capabilities, including media players, video editors, and transcoding tools. The dereference of value->value_nick following the OOB-read amplifies the potential impact by attempting to interpret arbitrary stack data as a valid pointer.
Detection Methods for CVE-2024-47600
Indicators of Compromise
- Unexpected application crashes in GStreamer-based media applications during media file analysis
- Segmentation faults occurring in the gst-discoverer component
- Memory access violations logged in system error logs related to GStreamer processes
- Anomalous media files with unusual audio channel configurations (>64 channels)
Detection Strategies
- Monitor for crashes in applications utilizing GStreamer's discovery functionality with stack traces pointing to format_channel_mask or gst-discoverer.c
- Implement application-level logging to detect media files with excessive audio channel counts
- Use memory sanitizers (ASan/MSan) in development environments to detect OOB reads during media processing
- Deploy file integrity monitoring on systems processing untrusted media content
Monitoring Recommendations
- Configure system logging to capture GStreamer-related crashes and memory access violations
- Implement input validation on media files before processing, checking for unusual channel configurations
- Monitor for repeated crashes or abnormal terminations in media processing pipelines
- Review application logs for errors related to audio channel enumeration in GStreamer components
How to Mitigate CVE-2024-47600
Immediate Actions Required
- Upgrade GStreamer to version 1.24.10 or later, which contains the security fix
- Review and update all applications that bundle or depend on vulnerable GStreamer versions
- Apply distribution-specific security updates (Debian users should reference the LTS announcement)
- Restrict processing of media files from untrusted sources until patching is complete
Patch Information
The vulnerability has been fixed in GStreamer version 1.24.10. The patch is available through the GitLab Merge Request 8034. For detailed security information, refer to the GStreamer Security Advisory SA-2024-0018 and the GitHub Security Lab Advisory GHSL-2024-248.
Debian users should apply updates as detailed in the Debian LTS Announcement.
Workarounds
- Implement input validation to reject media files claiming more than 64 audio channels before passing to GStreamer
- Isolate media processing in sandboxed environments with restricted memory access
- Use application-level channel count validation before invoking GStreamer discovery functions
- Consider disabling or restricting the use of gst-discoverer functionality for untrusted media sources until patching is possible
# Check installed GStreamer version
gst-inspect-1.0 --version
# Update GStreamer on Debian/Ubuntu systems
sudo apt update && sudo apt upgrade gstreamer1.0-tools gstreamer1.0-plugins-base
# Verify the updated version
dpkg -l | grep gstreamer
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
