CVE-2025-47183

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

—

Description

In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_tree function may read past the end of a heap buffer while parsing an MP4 file, leading to information disclosure.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2025-47183 NameCVE-2025-47183 DescriptionIn GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_tree function may read past the end of a heap buffer while parsing an MP4 file, leading to information disclosure. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)…

CVE-2025-47183

Name	CVE-2025-47183
Description	In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_tree function may read past the end of a heap buffer while parsing an MP4 file, leading to information disclosure.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4419-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
gst-plugins-good1.0 (PTS)	bullseye	1.18.4-2+deb11u2	vulnerable
	bullseye (security)	1.18.4-2+deb11u4	fixed
	bookworm	1.22.0-5+deb12u3	vulnerable
	bookworm (security)	1.22.0-5+deb12u2	vulnerable
	trixie	1.26.2-1	fixed
	trixie (security)	1.26.2-1+deb13u1	fixed
	forky, sid	1.28.3-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
gst-plugins-good1.0	source	bullseye	1.18.4-2+deb11u4		DLA-4419-1
gst-plugins-good1.0	source	(unstable)	1.26.2-1

Notes

[bookworm] - gst-plugins-good1.0 <no-dsa> (Minor issue)
https://github.com/atredispartners/advisories/blob/master/2025/ATREDIS-2025-0003.md
https://gstreamer.freedesktop.org/security/sa-2025-0005.html
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/48bf6a92d75051be7e5ffb66fcd1a49de74fe865 (1.27.1)
Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/d76cae74dad89994bfcdad83da6ef1ad69074332 (1.26.2)

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

[bookworm] - gst-plugins-good1.0 <no-dsa> (Minor issue)https://github.com/atredispartners/advisories/blob/master/2025/ATREDIS-2025-0003.mdhttps://gstreamer.freedesktop.org/security/sa-2025-0005.htmlFixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/48bf6a92d75051be7e5ffb66fcd1a49de74fe865 (1.27.1)Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/d76cae74dad89994bfcdad83da6ef1ad69074332 (1.26.2)

OS impact

OS	Version	Status	Fixed in
debian	bookworm	affected
debian	bullseye	fixed	`1.18.4-2+deb11u4`
debian	forky	fixed	`1.26.2-1`
debian	sid	fixed	`1.26.2-1`
debian	trixie	fixed	`1.26.2-1`
sles		affected

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.