CVE-2025-47183

In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_tree function may read past the end of a heap buffer while parsing an MP4 file, leading to information disclosure.

Severity: MEDIUM (6.6) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H

References:

https://github.com/atredispartners/advisories/blob/master/2025/ATREDIS-2025-0003.md
https://gstreamer.freedesktop.org/security/
https://github.com/atredispartners/advisories/blob/master/2025/ATREDIS-2025-0003.md

Published: 2025-08-07
Modified: 2025-08-12

CVE-2025-47219

In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_trak function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure.

Severity: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

https://github.com/atredispartners/advisories/blob/master/2025/ATREDIS-2025-0003.md
https://gstreamer.freedesktop.org/security/

Version: 2.1.2

Package gst-plugins-good1.0 update in p11 on 2025-07-27

ALT-PU-2025-9417-2

Closed vulnerabilities

CVE-2025-47183

CVE-2025-47219