Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (floating point exception and crash) via a crafted video file.
AnalysisAI
A floating-point exception vulnerability exists in the gst_riff_create_audio_caps function within GStreamer's gst-plugins-base library, allowing remote attackers to trigger a denial-of-service condition by crafting malicious video files. GStreamer versions before 1.10.3 are affected. The vulnerability has a moderate CVSS score of 5.5 but an EPSS percentile of 72%, indicating meaningful exploitation probability; a vendor patch is available.
Technical ContextAI
The vulnerability resides in gst-libs/gst/riff/riff-media.c, part of the GStreamer multimedia framework (CPE: cpe:2.3:a:gstreamer:gstreamer). GStreamer is a widely-deployed open-source media pipeline library used across Linux distributions and embedded systems for audio/video processing. The root cause is classified as CWE-369 (Divide By Zero), which occurs when the audio format parsing logic fails to validate numeric parameters before performing division operations. An attacker supplies a crafted RIFF audio header with malformed channel count, sample rate, or block alignment values that cause an unhandled division-by-zero exception during audio capability negotiation, crashing the GStreamer pipeline.
RemediationAI
Upgrade GStreamer and gst-plugins-base to version 1.10.3 or later immediately. Users of Debian should apply security update DSA-3819 (or the Debian LTS update from 2020-02); Red Hat users should apply RHSA-2017:2060; Gentoo users should apply GLSA-201705-10. For applications that cannot be immediately patched, restrict processing of untrusted media files or run GStreamer pipelines in sandboxed/containerized environments with resource limits to minimize crash impact. Validate that media file headers conform to RIFF specifications before passing to GStreamer, though this is not a substitute for patching.
Same weakness CWE-369 – Divide By Zero
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today