GStreamer CVE-2017-5838
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
The gst_date_time_new_from_iso8601_string function in gst/gstdatetime.c in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a malformed datetime string.
AnalysisAI
A heap buffer overflow vulnerability exists in GStreamer multimedia framework versions before 1.10.3, where malformed ISO8601 datetime strings can trigger out-of-bounds memory reads. The vulnerability affects the gst_date_time_new_from_iso8601_string function and allows remote attackers to cause denial of service conditions without requiring authentication. With an EPSS score of 2.76% (86th percentile), this vulnerability has above-average likelihood of exploitation, though it is not currently listed in CISA KEV.
Technical ContextAI
GStreamer is a widely-used open source multimedia framework that handles audio and video processing across Linux distributions and applications. The vulnerability resides in the gst/gstdatetime.c file, specifically in the gst_date_time_new_from_iso8601_string function that parses ISO8601-formatted datetime strings. This is classified as CWE-125 (Out-of-bounds Read), a memory safety issue where the application reads data past the end of an allocated buffer. Based on the CPE identifier cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*, all GStreamer versions prior to 1.10.3 are affected across all platforms where GStreamer is deployed.
RemediationAI
Upgrade GStreamer to version 1.10.3 or later, which contains the fix for this vulnerability as documented in the official release notes at https://gstreamer.freedesktop.org/releases/1.10/#1.10.3. Linux distribution users should apply vendor-specific security updates: Debian users should install DSA-3822, Red Hat users should apply RHSA-2017:2060, and Gentoo users should follow GLSA 201705-10. For systems that cannot be immediately patched, consider implementing input validation for datetime strings before they reach GStreamer processing, though upgrading remains the recommended solution. Patches are available from multiple sources including the openwall.com security mailing list.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today