PatchSiren cyber security CVE debrief

CVE-2017-5838 Gstreamer CVE debrief

CVE-2017-5838 is a memory-safety denial-of-service issue in GStreamer’s datetime parsing code. According to the CVE record, a malformed ISO 8601 datetime string can trigger an out-of-bounds heap read in gst_date_time_new_from_iso8601_string(), affecting GStreamer versions before 1.10.3. The NVD record rates the issue as HIGH severity with network attack vector, no privileges required, and availability impact only.

Vendor: Gstreamer
Product: CVE-2017-5838
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-09
Original CVE updated: 2026-05-13
Advisory published: 2017-02-09
Advisory updated: 2026-05-13

Who should care

Organizations that process untrusted media or metadata with GStreamer, especially systems running versions 1.10.2 or earlier. This is most relevant for services or applications that accept remote content and may parse datetime strings as part of media handling.

Technical summary

The vulnerable function, gst_date_time_new_from_iso8601_string() in gst/gstdatetime.c, can read past heap bounds when given a malformed datetime string. NVD classifies the weakness as CWE-125 (Out-of-bounds Read). The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, which aligns with a remotely triggerable availability impact rather than code execution.

Defensive priority

High for any deployment that ingests untrusted or externally supplied media/metadata. Priority is especially elevated for internet-facing services and shared platforms that use affected GStreamer releases.

Recommended defensive actions

Upgrade GStreamer to 1.10.3 or later, as referenced in the vendor release notes.
Inventory applications and services that embed or depend on GStreamer, including transitive dependencies.
Treat malformed datetime input as hostile and ensure upstream components reject or sanitize unexpected ISO 8601 strings.
If immediate upgrade is not possible, reduce exposure by limiting untrusted content paths that reach GStreamer parsing code.
Validate vendor and distro advisories for your platform, including the linked Debian, Red Hat, and Gentoo references, to confirm package-specific fixes.

Evidence notes

The CVE description states that gst_date_time_new_from_iso8601_string() in gst/gstdatetime.c in GStreamer before 1.10.3 allows remote attackers to cause a denial of service via a malformed datetime string. NVD maps the weakness to CWE-125 and lists the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vendor release notes for 1.10.3 are included in the source references, along with downstream advisories and issue tracking that corroborate the fix timeline.

Official resources

CVE-2017-5838 CVE record
CVE.org
CVE-2017-5838 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected] - Issue Tracking
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory

Publicly disclosed in the CVE record on 2017-02-09. NVD later marked the record modified on 2026-05-13; that modification date is not the vulnerability date.