GStreamer CVE-2017-5846
MEDIUMSeverity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
The gst_asf_demux_process_ext_stream_props function in gst/asfdemux/gstasfdemux.c in gst-plugins-ugly in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via vectors related to the number of languages in a video file.
AnalysisAI
A out-of-bounds read vulnerability exists in GStreamer's ASF demuxer (gst-plugins-ugly) that allows remote attackers to trigger a denial of service by crafting malicious video files with specially crafted extended stream properties containing an invalid number of languages. GStreamer versions before 1.10.3 are affected, and the vulnerability is triggered through local user interaction with a malicious media file, resulting in application crashes due to invalid memory access. While EPSS scoring indicates relatively low exploitation probability (0.80%, 74th percentile), this is a straightforward denial of service with clear triggering mechanisms.
Technical ContextAI
The vulnerability resides in the gst_asf_demux_process_ext_stream_props function within gst/asfdemux/gstasfdemux.c in GStreamer's gst-plugins-ugly library (CPE: cpe:2.3:a:gstreamer:gstreamer). ASF (Advanced Systems Format) is a multimedia container format developed by Microsoft, commonly used in WMV and WMA files. The flaw is classified as CWE-125 (Out-of-bounds Read), indicating the function fails to properly validate the number of languages field in extended stream properties before reading memory. When processing a crafted ASF file with a malformed language count, the demuxer reads beyond allocated buffer boundaries, causing memory access violations. This is a parsing vulnerability triggered during media file deserialization.
RemediationAI
Upgrade GStreamer to version 1.10.3 or later immediately; users on older stable branches should check their distribution's backports (Debian LTS provides patched versions as noted in their announcement). Verify that gst-plugins-ugly is updated as part of the GStreamer installation, since the vulnerable code is in that plugin package. Until patching is complete, restrict user access to untrusted media files and educate users to avoid opening ASF/WMV files from untrusted sources. Organizations relying on GStreamer in media processing pipelines should prioritize this update and validate patches against regression testing with existing media assets. For further details, consult the official GStreamer release notes at https://gstreamer.freedesktop.org/releases/1.10/#1.10.3 and the Debian security advisory at http://www.debian.org/security/2017/dsa-3821.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today