PatchSiren cyber security CVE debrief

CVE-2017-5837 Gstreamer CVE debrief

CVE-2017-5837 is a denial-of-service issue in GStreamer's gst-plugins-base component. A crafted video file can trigger a floating point exception and crash in gst_riff_create_audio_caps, affecting versions before 1.10.3. The practical risk is service interruption in applications or systems that parse untrusted media with affected GStreamer builds.

Vendor: Gstreamer
Product: CVE-2017-5837
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-09
Original CVE updated: 2026-05-13
Advisory published: 2017-02-09
Advisory updated: 2026-05-13

Who should care

Security and platform teams that ship or embed GStreamer, especially maintainers of media players, transcoding services, desktop software, and Linux distributions that consume untrusted video files.

Technical summary

The vulnerable function is gst_riff_create_audio_caps in gst-libs/gst/riff/riff-media.c. According to the NVD record, the weakness is CWE-369 (divide by zero or related floating point exception class) and the impact is availability-only: a crash/DoS. The affected version range is GStreamer versions up to and including 1.10.2; the vendor release notes indicate the issue is addressed in 1.10.3.

Defensive priority

Medium. The issue is not described as code execution or data corruption, but media parsing bugs are often reachable through user-supplied files and can disrupt services or clients that process untrusted content.

Recommended defensive actions

Upgrade GStreamer gst-plugins-base to 1.10.3 or later, or to the first fixed version in your distribution/vendor stream.
Identify products that parse video files through GStreamer and confirm whether they link against affected gst-plugins-base versions.
Prefer distro/vendor security advisories and backports where available, such as the Debian, Red Hat, or Gentoo advisories referenced in the record.
Treat untrusted media as an input boundary and isolate media-processing workloads where practical.
Add regression tests for malformed or edge-case RIFF/video inputs in any downstream component that embeds GStreamer.

Evidence notes

Primary evidence comes from the NVD record, which states that gst_riff_create_audio_caps in gst-libs/gst/riff/riff-media.c in gst-plugins-base before 1.10.3 can be crashed by a crafted video file, causing a floating point exception and denial of service. The NVD entry maps the weakness to CWE-369 and lists affected versions through 1.10.2. The GStreamer 1.10.3 release notes are the vendor-side fix reference. The CVE record was published on 2017-02-09 and later modified on 2026-05-13; that modification date is record metadata, not the vulnerability date.

Official resources

CVE-2017-5837 CVE record
CVE.org
CVE-2017-5837 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected] - Issue Tracking
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory

CVE published: 2017-02-09T15:59:01.330Z. Record modified: 2026-05-13T00:24:29.033Z. Use the published date for vulnerability timing context; the modified date reflects later record updates.