CVE-2017-5194 Debian CVE debrief

Who should care

Anyone running Irssi clients before 0.8.21, plus distro maintainers and admins relying on packaged Irssi builds. Debian/Gentoo security references in the source corpus indicate downstream package tracking matters as well.

Technical summary

NVD describes CVE-2017-5194 as a use-after-free in Irssi before 0.8.21. The attack surface is network-facing (AV:N) with low complexity, no privileges, and no user interaction, and the stated impact is availability-only denial of service (A:H). The vulnerable condition can be reached via an invalid nick message, which can crash the affected process.

Defensive priority

High

Recommended defensive actions

• Upgrade Irssi to version 0.8.21 or later.
• Apply the Irssi vendor security advisory and any downstream package updates from your distribution.
• Inventory deployed Irssi versions and confirm no hosts remain on affected releases.
• Treat affected instances as crash-risk services until patched and verify service restart/availability monitoring is in place.

Evidence notes

Primary evidence comes from the NVD CVE record, which lists the vulnerability as a use-after-free in Irssi before 0.8.21, maps it to CWE-416, and gives CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The record also includes vendor/security references from irssi.org, Openwall, Debian LTS, and Gentoo. The supplied metadata’s vendor field points to Debian, but the vulnerable product in the CVE record is Irssi; that mismatch is noted for context rather than as a claim about impact scope.

Official resources