CVE-2023-40476
Published: 03 May 2024
Summary
CVE-2023-40476 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Gstreamer Gstreamer. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
GStreamer contains a stack-based buffer overflow vulnerability in its H265 video parser that permits remote code execution. The flaw, tracked as CVE-2023-40476 and originally ZDI-CAN-21768, arises from insufficient validation of the length of attacker-supplied data before it is copied into a fixed-size stack buffer during parsing of H265 encoded files. Affected installations include multiple versions of the GStreamer multimedia framework, which is widely used by applications that process untrusted media.
An unauthenticated remote attacker can trigger the issue by supplying a malicious H265 file or stream to any application that uses the vulnerable GStreamer library. Successful exploitation grants arbitrary code execution in the context of the process that invokes the parser, with a CVSS 3.1 score of 8.8 reflecting network attack vector, low complexity, and no required privileges beyond user interaction with the media.
Public advisories published by the GStreamer project and Zero Day Initiative, along with downstream notices such as the Debian LTS announcement, direct users to updated packages that contain the fix for the parsing routine.
EPSS for the vulnerability rose from lower values to a peak of 0.1060 before receding to its current score of 0.0622, indicating measurable post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-45047
Vulnerability details
GStreamer H265 Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending…
more
on the implementation. The specific flaw exists within the parsing of H265 encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-21768.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.