CVE-2017-5838

HIGH
2017-02-09 [email protected]
7.5
CVSS 3.0
Share

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Feb 09, 2017 - 15:59 nvd
HIGH 7.5

Tags

Denial Of Service Gstreamer

Description

The gst_date_time_new_from_iso8601_string function in gst/gstdatetime.c in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a malformed datetime string.

Analysis

A heap buffer overflow vulnerability exists in GStreamer multimedia framework versions before 1.10.3, where malformed ISO8601 datetime strings can trigger out-of-bounds memory reads. The vulnerability affects the gst_date_time_new_from_iso8601_string function and allows remote attackers to cause denial of service conditions without requiring authentication. With an EPSS score of 2.76% (86th percentile), this vulnerability has above-average likelihood of exploitation, though it is not currently listed in CISA KEV.

Technical Context

GStreamer is a widely-used open source multimedia framework that handles audio and video processing across Linux distributions and applications. The vulnerability resides in the gst/gstdatetime.c file, specifically in the gst_date_time_new_from_iso8601_string function that parses ISO8601-formatted datetime strings. This is classified as CWE-125 (Out-of-bounds Read), a memory safety issue where the application reads data past the end of an allocated buffer. Based on the CPE identifier cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*, all GStreamer versions prior to 1.10.3 are affected across all platforms where GStreamer is deployed.

Affected Products

GStreamer multimedia framework versions prior to 1.10.3 are vulnerable, as indicated by the CPE identifier cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. This affects numerous Linux distributions including Debian (DSA-3822), Red Hat Enterprise Linux (RHSA-2017:2060), and Gentoo Linux (GLSA 201705-10). The vulnerability is tracked in the GNOME bugzilla as bug 777263. Official patch information and release notes are available at the GStreamer project page https://gstreamer.freedesktop.org/releases/1.10/#1.10.3.

Remediation

Upgrade GStreamer to version 1.10.3 or later, which contains the fix for this vulnerability as documented in the official release notes at https://gstreamer.freedesktop.org/releases/1.10/#1.10.3. Linux distribution users should apply vendor-specific security updates: Debian users should install DSA-3822, Red Hat users should apply RHSA-2017:2060, and Gentoo users should follow GLSA 201705-10. For systems that cannot be immediately patched, consider implementing input validation for datetime strings before they reach GStreamer processing, though upgrading remains the recommended solution. Patches are available from multiple sources including the openwall.com security mailing list.

Priority Score

40
Low Medium High Critical
KEV: 0
EPSS: +2.8
CVSS: +38
POC: 0

Share

CVE-2017-5838 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy