PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5194 Debian CVE debrief

CVE-2017-5194 is a high-severity use-after-free in Irssi before 0.8.21. According to the NVD record, a remote attacker can trigger a denial of service by sending an invalid nick message, and the issue is classified as CWE-416. The practical takeaway is simple: if you run or package Irssi, make sure you are on 0.8.21 or later and apply the vendor and distribution advisories linked below.

Vendor
Debian
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-03-03
Original CVE updated
2026-05-13
Advisory published
2017-03-03
Advisory updated
2026-05-13

Who should care

Anyone running Irssi clients before 0.8.21, plus distro maintainers and admins relying on packaged Irssi builds. Debian/Gentoo security references in the source corpus indicate downstream package tracking matters as well.

Technical summary

NVD describes CVE-2017-5194 as a use-after-free in Irssi before 0.8.21. The attack surface is network-facing (AV:N) with low complexity, no privileges, and no user interaction, and the stated impact is availability-only denial of service (A:H). The vulnerable condition can be reached via an invalid nick message, which can crash the affected process.

Defensive priority

High

Recommended defensive actions

  • Upgrade Irssi to version 0.8.21 or later.
  • Apply the Irssi vendor security advisory and any downstream package updates from your distribution.
  • Inventory deployed Irssi versions and confirm no hosts remain on affected releases.
  • Treat affected instances as crash-risk services until patched and verify service restart/availability monitoring is in place.

Evidence notes

Primary evidence comes from the NVD CVE record, which lists the vulnerability as a use-after-free in Irssi before 0.8.21, maps it to CWE-416, and gives CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The record also includes vendor/security references from irssi.org, Openwall, Debian LTS, and Gentoo. The supplied metadata’s vendor field points to Debian, but the vulnerable product in the CVE record is Irssi; that mismatch is noted for context rather than as a claim about impact scope.

Official resources

CVE published in the source corpus on 2017-03-03, with vendor and mailing-list references dated 2017-01-06. The NVD record was modified on 2026-05-13; that is a record update date, not the original issue date.