Skip to main content

GStreamer CVE-2017-5838

HIGH
Out-of-bounds Read (CWE-125)
2017-02-09 cve@mitre.org
7.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Feb 09, 2017 - 15:59 nvd
HIGH 7.5

DescriptionCVE.org

The gst_date_time_new_from_iso8601_string function in gst/gstdatetime.c in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a malformed datetime string.

AnalysisAI

A heap buffer overflow vulnerability exists in GStreamer multimedia framework versions before 1.10.3, where malformed ISO8601 datetime strings can trigger out-of-bounds memory reads. The vulnerability affects the gst_date_time_new_from_iso8601_string function and allows remote attackers to cause denial of service conditions without requiring authentication. With an EPSS score of 2.76% (86th percentile), this vulnerability has above-average likelihood of exploitation, though it is not currently listed in CISA KEV.

Technical ContextAI

GStreamer is a widely-used open source multimedia framework that handles audio and video processing across Linux distributions and applications. The vulnerability resides in the gst/gstdatetime.c file, specifically in the gst_date_time_new_from_iso8601_string function that parses ISO8601-formatted datetime strings. This is classified as CWE-125 (Out-of-bounds Read), a memory safety issue where the application reads data past the end of an allocated buffer. Based on the CPE identifier cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*, all GStreamer versions prior to 1.10.3 are affected across all platforms where GStreamer is deployed.

RemediationAI

Upgrade GStreamer to version 1.10.3 or later, which contains the fix for this vulnerability as documented in the official release notes at https://gstreamer.freedesktop.org/releases/1.10/#1.10.3. Linux distribution users should apply vendor-specific security updates: Debian users should install DSA-3822, Red Hat users should apply RHSA-2017:2060, and Gentoo users should follow GLSA 201705-10. For systems that cannot be immediately patched, consider implementing input validation for datetime strings before they reach GStreamer processing, though upgrading remains the recommended solution. Patches are available from multiple sources including the openwall.com security mailing list.

Share

CVE-2017-5838 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy