CVE-2021-3185 – CVE-2021-3185 is a critical buffer overflow vul... (How to Fix)

Q: What is the severity of CVE-2021-3185?

CVE-2021-3185 has a CVSS score of 9.8 (CRITICAL). CVE-2021-3185 is a critical buffer overflow vulnerability in the GStreamer H.264 parser component (gst-plugins-bad). Attackers can exploit this by sending specially crafted H.264 video data to cause memory corruption, potentially leading to remote code execution. Systems using vulnerable versions of GStreamer for video processing are affected.

📋 TL;DR

CVE-2021-3185 is a critical buffer overflow vulnerability in the GStreamer H.264 parser component (gst-plugins-bad). Attackers can exploit this by sending specially crafted H.264 video data to cause memory corruption, potentially leading to remote code execution. Systems using vulnerable versions of GStreamer for video processing are affected.

💻 Affected Systems

Products:

gst-plugins-bad

Versions: Versions before 1.18.1

Operating Systems: Linux distributions with vulnerable GStreamer packages

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using GStreamer to parse H.264 video streams is vulnerable. Common in media servers, video processing tools, and applications with multimedia functionality.

📦 What is this software?

Gst Plugins Bad by Freedesktop

View all CVEs affecting Gst Plugins Bad →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Service disruption through denial of service (crash) or limited code execution in the GStreamer process context.

🟢

If Mitigated

Contained process crash with no privilege escalation if proper sandboxing and memory protections are enabled.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious H.264 data to a vulnerable parser. Public proof-of-concept code exists demonstrating the buffer overflow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.18.1 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1917192

Restart Required: Yes

Instructions:

1. Update gst-plugins-bad to version 1.18.1 or later using your distribution's package manager. 2. Restart any services or applications using GStreamer. 3. For Red Hat/CentOS: yum update gstreamer1-plugins-bad-free. 4. For Debian/Ubuntu: apt update && apt install gstreamer1.0-plugins-bad.

🔧 Temporary Workarounds

Disable H.264 parsing

linux

Prevent GStreamer from processing H.264 streams by removing or disabling the vulnerable plugin.

rm /usr/lib/gstreamer-1.0/libgsth264parse.so
mv /usr/lib/gstreamer-1.0/libgsth264parse.so /usr/lib/gstreamer-1.0/libgsth264parse.so.disabled

🧯 If You Can't Patch

Implement strict input validation and sanitization for H.264 video data before processing.
Run GStreamer processes with minimal privileges and in sandboxed environments (e.g., containers with seccomp, AppArmor).

🔍 How to Verify

Check if Vulnerable:

Check gst-plugins-bad version: gst-inspect-1.0 h264parse | grep "version" or dpkg -l | grep gstreamer1.0-plugins-bad or rpm -q gstreamer1-plugins-bad-free.

Check Version:

gst-inspect-1.0 h264parse | grep version

Verify Fix Applied:

Confirm version is 1.18.1 or higher using the same commands. Test with known malicious H.264 samples if available.

📡 Detection & Monitoring

Log Indicators:

GStreamer process crashes (segmentation faults) in syslog/journalctl
Abnormal termination of media processing applications

Network Indicators:

Unusual inbound traffic containing H.264 data to media servers
Spikes in malformed video file uploads

SIEM Query:

source="syslog" AND (process="gst*" OR process="*gstreamer*") AND (message="segmentation fault" OR message="SIGSEGV")

📊 Metadata

CVE ID: CVE-2021-3185

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: January 26, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1917192 Issue Tracking,Patch,Third Party Advisory
https://security.gentoo.org/glsa/202208-31 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1917192 Issue Tracking,Patch,Third Party Advisory
https://security.gentoo.org/glsa/202208-31 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3185, you might also want to check these: