CVE-2025-47219

Published: 8/7/2025 Last updated: 5/12/2026 Reserved: 5/2/2025

In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_trak function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure.

CNA assigner: mitre (8254265b-2729-46b6-b9e3-3dfca2d5bfca) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	8.1	High	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Opam packages affected (2)

conf-gstreamer gstreamer

Products affected (2)

Product	Vendor	Version
n/a	n/a	Tor before 0.3.0.8
n/a	n/a	Windows 10 for 32-bit Systems

References (6)

https://gstreamer.freedesktop.org/security/
https://github.com/atredispartners/advisories/blob/master/2025/ATREDIS-2025-0003.md
https://cert-portal.siemens.com/productcert/html/ssa-032379.html
https://gstreamer.freedesktop.org/security/
https://github.com/atredispartners/advisories/blob/master/2025/ATREDIS-2025-0003.md
https://cert-portal.siemens.com/productcert/html/ssa-032379.html