PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5357 Fedoraproject CVE debrief

CVE-2017-5357 is a denial-of-service vulnerability in GNU ed's regex.c handling. According to the CVE record and NVD, a malformed command can trigger an invalid free and crash the program. The issue was publicly disclosed through vendor and mailing-list advisories in January 2017 and published in NVD on 2017-02-17.

Vendor
Fedoraproject
Product
CVE-2017-5357
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-17
Original CVE updated
2026-05-13
Advisory published
2017-02-17
Advisory updated
2026-05-13

Who should care

Administrators and package maintainers who deploy GNU ed, especially on Fedora-derived systems or any environment that still ships affected GNU ed builds. Security teams should care most where command-line utilities are used in automated workflows or legacy systems.

Technical summary

The NVD record describes the flaw as an invalid free in regex.c reachable via a malformed command, resulting in a crash/denial of service. NVD assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating the primary impact is availability. The record also maps the weakness to CWE-416 (Use After Free), consistent with memory-management failure. NVD's affected CPEs include GNU ed up to 1.14 and Fedora 25.

Defensive priority

High for systems that still include vulnerable GNU ed builds. Although the impact is denial of service rather than data compromise, the flaw affects a foundational utility and is rated HIGH by CVSS.

Recommended defensive actions

  • Upgrade GNU ed to version 1.14.1 or later, as identified in the CVE description.
  • Apply vendor/package updates from distribution advisories, including Fedora package announcements where relevant.
  • Check installed package versions to confirm no affected GNU ed release remains deployed.
  • Review crash logs or abnormal terminations involving ed and replace any legacy workflows that depend on vulnerable versions.
  • Track downstream vendor advisories for rebuilds or backports if you cannot upgrade the base package immediately.

Evidence notes

Primary evidence comes from the NVD record and the GNU bug/advisory references listed there. The CVE description states GNU ed before 1.14.1 can crash from a malformed command that triggers an invalid free. NVD's CPE list also marks GNU ed up to 1.14 as vulnerable and includes Fedora 25. There is a small version-bound discrepancy between the prose description ('before 1.14.1') and the CPE range ('up to 1.14'); this debrief preserves both as supplied by the source corpus.

Official resources

Public advisory activity appears in January 2017 references, with the CVE published by NVD on 2017-02-17. The record was last modified on 2026-05-13, which should not be treated as the vulnerability date.