Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (floating point exception and crash) via a crafted ASF file.
AnalysisAI
A floating point exception vulnerability exists in GStreamer's gst_riff_create_audio_caps function within gst-plugins-base versions prior to 1.10.3, allowing remote attackers to trigger a denial of service crash by supplying a specially crafted ASF (Advanced Systems Format) audio file. The vulnerability requires user interaction (file opening) but no elevated privileges, making it exploitable through common media playback scenarios. With an EPSS score of 0.72 (72nd percentile) and confirmed patch availability from the vendor, this represents a moderate real-world risk primarily affecting applications and systems that process untrusted media files.
Technical ContextAI
The vulnerability resides in the gst-riff library (gst-libs/gst/riff/riff-media.c) within GStreamer's multimedia framework, specifically in the audio capability creation routine used to parse ASF container metadata. The root cause is classified as CWE-369 (Divide By Zero), indicating that the gst_riff_create_audio_caps function performs division or modulo operations on attacker-controlled values derived from ASF file headers without proper validation or bounds checking. GStreamer is a widely-used multimedia library (affected CPE: cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*) integrated into numerous desktop environments, media players, and web browsers for audio and video processing. The parsing occurs when GStreamer attempts to introspect codec parameters from malformed ASF container headers, which can specify invalid sample rates or channel configurations that lead to zero or null values in arithmetic operations.
RemediationAI
Immediately upgrade GStreamer and gst-plugins-base to version 1.10.3 or later (see vendor advisory at https://gstreamer.freedesktop.org/releases/1.10/#1.10.3). For distributions, apply the respective security updates: Debian systems should install the patched packages from DSA-3819, Red Hat systems should apply RHSA-2017:2060, and Gentoo systems should follow GLSA-201705-10 guidance. If immediate patching is not feasible, implement input validation at the application level by rejecting or sandboxing ASF files from untrusted sources, disable ASF/WMA codec support if not required, and isolate media processing to a restricted user account without network access. Organizations relying on older LTS distributions should prioritize backporting security fixes or planning upgrades, as Debian LTS patches were still being released for this vulnerability as of February 2020.
Same weakness CWE-369 – Divide By Zero
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today