GStreamer CVE-2017-5841
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds heap read) via vectors involving ncdt tags.
AnalysisAI
An out-of-bounds heap read vulnerability exists in the gst_avi_demux_parse_ncdt function within the GStreamer gst-plugins-good component when parsing malformed AVI files containing crafted ncdt tags. GStreamer versions prior to 1.10.3 are affected, allowing remote attackers to cause denial of service without authentication or user interaction. With an EPSS score of 3.11% (87th percentile), the vulnerability shows moderate real-world exploitation likelihood, and patches are available from the vendor.
Technical ContextAI
GStreamer is a widely-used multimedia framework for constructing graphs of media-handling components, from simple playback to complex audio and video processing. The vulnerability affects cpe:2.3:a:gstreamer:gstreamer versions prior to 1.10.3, specifically within the gst-plugins-good package's AVI demuxer component (gstavidemux.c). The root cause is CWE-125 (Out-of-bounds Read), occurring when the gst_avi_demux_parse_ncdt function improperly validates ncdt (Nikon capture data tags) within AVI container files, allowing reads beyond allocated heap memory boundaries. This type of memory safety issue can lead to information disclosure or application crashes when processing untrusted media files.
RemediationAI
Upgrade GStreamer to version 1.10.3 or later as documented in the official release advisory at https://gstreamer.freedesktop.org/releases/1.10/#1.10.3. Linux distribution users should apply vendor-specific patches through their package managers: Debian users should reference DSA-3820, Red Hat Enterprise Linux users should apply RHSA-2017:2060, and Gentoo users should follow GLSA-201705-10. The patch details are available via the oss-security mailing list at http://www.openwall.com/lists/oss-security/2017/02/02/9. Until patching is feasible, limit exposure by restricting processing of untrusted AVI files, implementing application sandboxing, and blocking network-based media file processing from untrusted sources through content filtering or application whitelisting policies.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today