CVE-2017-5840

HIGH
2017-02-09 [email protected]
7.5
CVSS 3.0
Share

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Feb 09, 2017 - 15:59 nvd
HIGH 7.5

Tags

Denial Of Service Gstreamer

Description

The qtdemux_parse_samples function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving the current stts index.

Analysis

A buffer overflow vulnerability in GStreamer's MP4/QuickTime demuxer allows remote attackers to cause denial of service through out-of-bounds heap memory reads. The vulnerability affects GStreamer versions before 1.10.3 and can be triggered by processing specially crafted MP4 files, making it a concern for applications that process untrusted media content. With an EPSS score of 6.86% (91st percentile), this vulnerability has a higher-than-average likelihood of exploitation in the wild.

Technical Context

The vulnerability resides in the qtdemux_parse_samples function within the gst/isomp4/qtdemux.c file of the gst-plugins-good component, which is responsible for parsing MP4 and QuickTime media containers. Based on the CPE identifier (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*), all GStreamer installations prior to version 1.10.3 are affected. The issue is classified as CWE-125 (Out-of-bounds Read), occurring when the code improperly handles the current stts (time-to-sample) index while parsing sample data from media files, allowing reads beyond allocated heap memory boundaries.

Affected Products

GStreamer multimedia framework versions prior to 1.10.3 are vulnerable, specifically the gst-plugins-good component as identified by the CPE string cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. This affects various Linux distributions including Debian (see DSA-3820), Red Hat Enterprise Linux (RHSA-2017:2060), and Gentoo (GLSA-201705-10). The vulnerability impacts any application or service using GStreamer for media processing, particularly those handling untrusted MP4 or QuickTime files from external sources.

Remediation

Upgrade GStreamer to version 1.10.3 or later, which contains the fix for this vulnerability as documented in the official GStreamer release notes at https://gstreamer.freedesktop.org/releases/1.10/#1.10.3. For distribution-specific updates, apply the security patches provided: Debian users should reference DSA-3820, Red Hat users should apply RHSA-2017:2060, and Gentoo users should follow GLSA-201705-10. As a temporary mitigation until patching is possible, restrict processing of untrusted MP4/QuickTime files and implement input validation or sandboxing for media processing operations.

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +6.9
CVSS: +38
POC: 0

Share

CVE-2017-5840 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy