Skip to main content

GStreamer CVE-2017-5840

HIGH
Out-of-bounds Read (CWE-125)
2017-02-09 cve@mitre.org
7.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Feb 09, 2017 - 15:59 nvd
HIGH 7.5

DescriptionCVE.org

The qtdemux_parse_samples function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving the current stts index.

AnalysisAI

A buffer overflow vulnerability in GStreamer's MP4/QuickTime demuxer allows remote attackers to cause denial of service through out-of-bounds heap memory reads. The vulnerability affects GStreamer versions before 1.10.3 and can be triggered by processing specially crafted MP4 files, making it a concern for applications that process untrusted media content. With an EPSS score of 6.86% (91st percentile), this vulnerability has a higher-than-average likelihood of exploitation in the wild.

Technical ContextAI

The vulnerability resides in the qtdemux_parse_samples function within the gst/isomp4/qtdemux.c file of the gst-plugins-good component, which is responsible for parsing MP4 and QuickTime media containers. Based on the CPE identifier (cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*), all GStreamer installations prior to version 1.10.3 are affected. The issue is classified as CWE-125 (Out-of-bounds Read), occurring when the code improperly handles the current stts (time-to-sample) index while parsing sample data from media files, allowing reads beyond allocated heap memory boundaries.

RemediationAI

Upgrade GStreamer to version 1.10.3 or later, which contains the fix for this vulnerability as documented in the official GStreamer release notes at https://gstreamer.freedesktop.org/releases/1.10/#1.10.3. For distribution-specific updates, apply the security patches provided: Debian users should reference DSA-3820, Red Hat users should apply RHSA-2017:2060, and Gentoo users should follow GLSA-201705-10. As a temporary mitigation until patching is possible, restrict processing of untrusted MP4/QuickTime files and implement input validation or sandboxing for media processing operations.

Share

CVE-2017-5840 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy