CVE-2023-50186
Published: 03 May 2024
Summary
CVE-2023-50186 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Gstreamer Gstreamer. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
GStreamer contains a stack-based buffer overflow vulnerability in its AV1 video parsing code, tracked as CVE-2023-50186. The flaw stems from insufficient validation of the length of attacker-supplied metadata before it is copied into a fixed-size stack buffer during processing of AV1-encoded video files. Successful exploitation grants remote code execution in the context of the affected GStreamer process. The issue was originally reported as ZDI-CAN-22300 and carries a CVSS 3.1 score of 8.8.
Remote attackers can trigger the vulnerability by supplying a malicious AV1 video file to any application that uses the vulnerable GStreamer library for media handling. No authentication is required, and the attack can be delivered through typical media ingestion paths such as file playback or network streams, depending on the integrating application. Exploitation results in arbitrary code execution with the privileges of the GStreamer process.
The GStreamer project has published security advisory SA-2023-0011, which includes patches for the affected AV1 parser. The Zero Day Initiative advisory ZDI-24-368 provides additional technical detail and confirms vendor remediation. The associated EPSS score has remained flat at 0.0918 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-55008
Vulnerability details
GStreamer AV1 Video Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary…
more
depending on the implementation. The specific flaw exists within the parsing of metadata within AV1 encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22300.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.