Cyber Resilience

CVE-2023-44429

High

Published: 03 May 2024

Published
03 May 2024
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0599 90.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-44429 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Gstreamer Gstreamer. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

GStreamer contains a heap-based buffer overflow vulnerability in its AV1 codec parsing code, tracked as CVE-2023-44429 (ZDI-CAN-22226). The flaw stems from missing validation of the length of attacker-supplied data before it is copied into a fixed-size heap buffer during processing of AV1-encoded video streams. Affected installations allow remote code execution when the library parses malicious input, and the issue carries a CVSS 3.1 score of 8.8.

Remote attackers can trigger the vulnerability by supplying a crafted AV1 video file or stream to any application that uses the vulnerable GStreamer components. Successful exploitation grants arbitrary code execution in the context of the affected process; the attack requires the target to process the malicious media but does not need authentication or other privileges.

Official advisories published by the GStreamer project and Zero Day Initiative document the issue and point to updated builds that correct the buffer handling. The associated EPSS score has remained flat at 0.0599 with no material increase since disclosure.

EU & UK References

Vulnerability details

GStreamer AV1 Codec Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary…

more

depending on the implementation. The specific flaw exists within the parsing of AV1 encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22226.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gstreamer
gstreamer
≤ 1.22.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References