PatchSiren cyber security CVE debrief

CVE-2017-5840 Gstreamer CVE debrief

CVE-2017-5840 is a high-severity GStreamer issue in gst-plugins-good that can let a remote attacker cause a denial of service through an out-of-bounds heap read in qtdemux_parse_samples. The NVD record lists the vulnerable range as GStreamer versions through 1.10.2, and the vendor release notes point to 1.10.3 as the fixed release.

Vendor: Gstreamer
Product: CVE-2017-5840
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-09
Original CVE updated: 2026-05-13
Advisory published: 2017-02-09
Advisory updated: 2026-05-13

Who should care

Organizations that ship or embed GStreamer gst-plugins-good, especially systems that process untrusted media files or streams. This includes desktop media applications, servers, and appliances that rely on GStreamer for demuxing MP4-like content.

Technical summary

The flaw is in qtdemux_parse_samples in gst/isomp4/qtdemux.c. NVD classifies it as CWE-125 (out-of-bounds read) with a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is described as involving the current stts index, and the affected versions are listed as GStreamer up to and including 1.10.2. The vendor release notes for 1.10.3 are the primary remediation reference.

Defensive priority

High. The issue is network-reachable, requires no privileges or user interaction, and can be triggered through malformed media content to crash or otherwise disrupt affected applications.

Recommended defensive actions

Upgrade GStreamer gst-plugins-good to 1.10.3 or later, or apply the vendor-backported fix supplied by your distribution.
Inventory products and containers that bundle GStreamer and confirm whether they include gst-plugins-good versions at or below 1.10.2.
Prioritize patching services that ingest untrusted media files, attachments, or streaming content.
If you rely on downstream packages, verify the vendor advisory or errata for your platform rather than assuming the upstream version number alone.
Monitor crash logs and media-processing failures for signs of malformed-input handling issues until patched.

Evidence notes

The CVE record was published on 2017-02-09 and later modified in NVD on 2026-05-13; the modification date should not be treated as the vulnerability's original disclosure date. The supplied NVD metadata identifies the affected CPE as gstreamer:gstreamer and the vulnerable version range as through 1.10.2. The record also links to the GStreamer 1.10.3 release notes, GNOME bug tracking, and downstream advisories from Debian, Red Hat, and Gentoo, which collectively support remediation guidance.

Official resources

CVE-2017-5840 CVE record
CVE.org
CVE-2017-5840 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected] - Issue Tracking
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory

Publicly disclosed in the CVE record on 2017-02-09. NVD metadata was later modified on 2026-05-13, but that later date reflects record maintenance rather than the original issue date.