PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5844 Gstreamer CVE debrief

CVE-2017-5844 describes a denial-of-service issue in GStreamer’s ASF parsing path. The vulnerable function, gst_riff_create_audio_caps in gst-libs/gst/riff/riff-media.c, can trigger a floating point exception and crash when processing crafted ASF content. NVD maps the affected versions to gstreamer:gstreamer up to 1.10.2, and the GStreamer 1.10.3 release notes are the vendor reference for the fix.

Vendor
Gstreamer
Product
CVE-2017-5844
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-09
Original CVE updated
2026-05-13
Advisory published
2017-02-09
Advisory updated
2026-05-13

Who should care

Teams that ship or depend on GStreamer/gst-plugins-base 1.10.2 and earlier should pay attention, especially desktop media applications, playback services, and any software that opens untrusted ASF files.

Technical summary

The issue is in gst_riff_create_audio_caps within GStreamer’s riff media handling code. According to the NVD record, a crafted ASF file can cause a floating point exception leading to a crash. The NVD CVSS 3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, which indicates availability impact with user interaction required. The vulnerable CPE range in the official record ends at version 1.10.2, and the upstream release notes identify 1.10.3 as the fixed release.

Defensive priority

Medium priority. The impact is availability-only, but the affected code sits in media parsing, so systems that process user-supplied audio/video files can still see repeated crashes or service disruption until patched.

Recommended defensive actions

  • Upgrade GStreamer to 1.10.3 or later, or apply the vendor-documented package update for your distribution.
  • Inventory products and services that embed GStreamer or gst-plugins-base and confirm whether they accept ASF content from untrusted sources.
  • Check your platform advisories for packaged fixes, including Debian DSA-3819, Red Hat RHSA-2017:2060, and Gentoo GLSA 201705-10.
  • Treat ASF files from untrusted origins as risky until the patched version is deployed; add file-type filtering or isolation where practical.
  • Monitor for media-parser crashes in affected applications and use them as a signal that older GStreamer builds may still be deployed.

Evidence notes

The official NVD record states the vulnerable function, impact, CVSS 3.0 vector, CWE-369 mapping, and affected version range ending at 1.10.2. The GStreamer 1.10.3 release notes are listed as the vendor advisory/release-note reference. Supporting references in the corpus include OSS-security mailing list posts, GNOME Bugzilla issue 777525, and downstream advisories from Debian, Red Hat, and Gentoo, all consistent with a patch being available by the 1.10.3 release.

Official resources

Publicly disclosed on 2017-02-09. The official record and vendor references point to a fix in GStreamer 1.10.3, with downstream advisories following from major Linux vendors.