Skip to main content

GStreamer CVE-2017-5837

MEDIUM
Divide By Zero (CWE-369)
2017-02-09 cve@mitre.org
5.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Feb 09, 2017 - 15:59 nvd
MEDIUM 5.5

DescriptionCVE.org

The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (floating point exception and crash) via a crafted video file.

AnalysisAI

A floating-point exception vulnerability exists in the gst_riff_create_audio_caps function within GStreamer's gst-plugins-base library, allowing remote attackers to trigger a denial-of-service condition by crafting malicious video files. GStreamer versions before 1.10.3 are affected. The vulnerability has a moderate CVSS score of 5.5 but an EPSS percentile of 72%, indicating meaningful exploitation probability; a vendor patch is available.

Technical ContextAI

The vulnerability resides in gst-libs/gst/riff/riff-media.c, part of the GStreamer multimedia framework (CPE: cpe:2.3:a:gstreamer:gstreamer). GStreamer is a widely-deployed open-source media pipeline library used across Linux distributions and embedded systems for audio/video processing. The root cause is classified as CWE-369 (Divide By Zero), which occurs when the audio format parsing logic fails to validate numeric parameters before performing division operations. An attacker supplies a crafted RIFF audio header with malformed channel count, sample rate, or block alignment values that cause an unhandled division-by-zero exception during audio capability negotiation, crashing the GStreamer pipeline.

RemediationAI

Upgrade GStreamer and gst-plugins-base to version 1.10.3 or later immediately. Users of Debian should apply security update DSA-3819 (or the Debian LTS update from 2020-02); Red Hat users should apply RHSA-2017:2060; Gentoo users should apply GLSA-201705-10. For applications that cannot be immediately patched, restrict processing of untrusted media files or run GStreamer pipelines in sandboxed/containerized environments with resource limits to minimize crash impact. Validate that media file headers conform to RIFF specifications before passing to GStreamer, though this is not a substitute for patching.

Share

CVE-2017-5837 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy