CVE-2024-0444 – A stack-based buffer overflow vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2024-0444?

CVE-2024-0444 has a CVSS score of 8.8 (HIGH). A stack-based buffer overflow vulnerability in GStreamer's AV1 video parser allows remote attackers to execute arbitrary code by providing specially crafted AV1 video files. This affects any application using vulnerable GStreamer versions to process AV1 video content. Attackers can achieve remote code execution in the context of the application processing the malicious file.

📋 TL;DR

A stack-based buffer overflow vulnerability in GStreamer's AV1 video parser allows remote attackers to execute arbitrary code by providing specially crafted AV1 video files. This affects any application using vulnerable GStreamer versions to process AV1 video content. Attackers can achieve remote code execution in the context of the application processing the malicious file.

💻 Affected Systems

Products:

GStreamer
Applications using GStreamer for AV1 video processing

Versions: GStreamer versions before commit f368d63ecd89e01fd2cf0b1c4def5fc782b2c390

Operating Systems: Linux, Windows, macOS, Android, Other platforms with GStreamer

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is triggered when processing AV1 video files through GStreamer's parser. Applications must use the vulnerable code path.

📦 What is this software?

Gstreamer by Gstreamer Project

View all CVEs affecting Gstreamer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Application crash (denial of service) or limited code execution within the application's context, potentially leading to further privilege escalation.

🟢

If Mitigated

Application crash without code execution if exploit fails or security controls like ASLR/DEP prevent successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious AV1 video files and getting them processed by vulnerable GStreamer instances. Attack vectors could include web applications, media players, or video processing services.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GStreamer commit f368d63ecd89e01fd2cf0b1c4def5fc782b2c390 and later

Vendor Advisory: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f368d63ecd89e01fd2cf0b1c4def5fc782b2c390

Restart Required: Yes

Instructions:

1. Update GStreamer to version containing commit f368d63ecd89e01fd2cf0b1c4def5fc782b2c390. 2. Restart all applications using GStreamer. 3. Rebuild any custom applications linked against GStreamer.

🔧 Temporary Workarounds

Disable AV1 video processing

linux

Prevent GStreamer from processing AV1 video files by disabling or removing AV1 codec support.

# Remove AV1 plugin if using modular GStreamer
sudo apt remove gstreamer1.0-plugins-bad # or equivalent for your distribution

Input validation for video files

all

Implement strict validation of AV1 video files before processing through GStreamer.

🧯 If You Can't Patch

Implement network segmentation to isolate systems using GStreamer from untrusted networks.
Deploy application allowlisting to prevent execution of unauthorized code.

🔍 How to Verify

Check if Vulnerable:

Check GStreamer version and verify if commit f368d63ecd89e01fd2cf0b1c4def5fc782b2c390 is present in the source.

Check Version:

gst-inspect-1.0 --version

Verify Fix Applied:

Verify GStreamer version includes commit f368d63ecd89e01fd2cf0b1c4def5fc782b2c390 and test with known safe AV1 video files.

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing AV1 video files
Memory access violation errors in application logs

Network Indicators:

Unusual network traffic from systems processing video files
AV1 video file downloads from suspicious sources

SIEM Query:

source="application_logs" AND ("segmentation fault" OR "buffer overflow" OR "access violation") AND process="gst*"

📊 Metadata

CVE ID: CVE-2024-0444

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: June 7, 2024

Last Updated: December 27, 2024

🔗 References

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f368d63ecd89e01fd2cf0b1c4def5fc782b2c390 Patch
https://www.zerodayinitiative.com/advisories/ZDI-24-567/ Patch,Third Party Advisory,VDB Entry
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/f368d63ecd89e01fd2cf0b1c4def5fc782b2c390 Patch
https://www.zerodayinitiative.com/advisories/ZDI-24-567/ Patch,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0444, you might also want to check these: