Skip to main content

GStreamer CVE-2017-5839

HIGH
Uncontrolled Recursion (CWE-674)
2017-02-09 cve@mitre.org
7.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
CVE Published
Feb 09, 2017 - 15:59 nvd
HIGH 7.5

DescriptionCVE.org

The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 does not properly limit recursion, which allows remote attackers to cause a denial of service (stack overflow and crash) via vectors involving nested WAVEFORMATEX.

AnalysisAI

A stack overflow vulnerability exists in the GStreamer multimedia framework's RIFF media handling component, where improper recursion limits when processing nested WAVEFORMATEX structures can cause denial of service crashes. The vulnerability affects GStreamer versions before 1.10.3 and allows remote attackers to crash applications using the framework without authentication. With an EPSS score of 3.04% (87th percentile), this vulnerability has a higher-than-average likelihood of exploitation in the wild, though it is limited to denial of service impact only.

Technical ContextAI

GStreamer is a widely-used open source multimedia framework that provides a pipeline-based architecture for handling audio and video processing. The vulnerability resides in the gst_riff_create_audio_caps function within the RIFF media handling library (gst-libs/gst/riff/riff-media.c), which processes Resource Interchange File Format data commonly used in WAV audio files. This is a classic case of CWE-674 (Uncontrolled Recursion), where the function fails to implement proper depth limits when parsing nested WAVEFORMATEX structures within RIFF files, allowing maliciously crafted files to trigger infinite recursion until the stack is exhausted.

RemediationAI

Upgrade GStreamer gst-plugins-base to version 1.10.3 or later, which includes the fix for this vulnerability as documented in the official release notes at https://gstreamer.freedesktop.org/releases/1.10/#1.10.3. For systems using distribution packages, apply the vendor-specific security updates: Debian users should install DSA-3819, Red Hat users should apply RHSA-2017:2060, and Gentoo users should follow GLSA-201705-10. As a temporary mitigation until patching is possible, avoid processing untrusted RIFF/WAV files or implement input validation to reject files with excessive nesting depth before passing them to GStreamer.

Share

CVE-2017-5839 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy