CVE-2023-44429
Published: 03 May 2024
Summary
CVE-2023-44429 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Gstreamer Gstreamer. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
GStreamer contains a heap-based buffer overflow vulnerability in its AV1 codec parsing code, tracked as CVE-2023-44429 (ZDI-CAN-22226). The flaw stems from missing validation of the length of attacker-supplied data before it is copied into a fixed-size heap buffer during processing of AV1-encoded video streams. Affected installations allow remote code execution when the library parses malicious input, and the issue carries a CVSS 3.1 score of 8.8.
Remote attackers can trigger the vulnerability by supplying a crafted AV1 video file or stream to any application that uses the vulnerable GStreamer components. Successful exploitation grants arbitrary code execution in the context of the affected process; the attack requires the target to process the malicious media but does not need authentication or other privileges.
Official advisories published by the GStreamer project and Zero Day Initiative document the issue and point to updated builds that correct the buffer handling. The associated EPSS score has remained flat at 0.0599 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-48769
Vulnerability details
GStreamer AV1 Codec Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary…
more
depending on the implementation. The specific flaw exists within the parsing of AV1 encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22226.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.