PatchSiren cyber security CVE debrief
CVE-2017-5845 Gstreamer CVE debrief
CVE-2017-5845 is a high-severity denial-of-service issue in GStreamer's AVI demuxer. A malformed ncdt sub-tag in an AVI file can make gst_avi_demux_parse_ncdt read invalid memory and crash the process. GStreamer fixed the issue in 1.10.3; NVD lists affected gst-plugins-good versions through 1.10.2.
- Vendor
- Gstreamer
- Product
- CVE-2017-5845
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-09
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-09
- Advisory updated
- 2026-05-13
Who should care
Teams that ship or embed GStreamer gst-plugins-good, especially software that processes untrusted AVI media. This includes desktop media apps, transcoding pipelines, preview/indexing services, and any product that parses user-supplied files.
Technical summary
The vulnerable function is gst_avi_demux_parse_ncdt in gst/avi/gstavidemux.c. According to NVD, a remote attacker can trigger an invalid memory read and crash by supplying an ncdt sub-tag that goes behind the surrounding tag. NVD maps the issue to CWE-125 and marks the attack vector as network-based with no privileges or user interaction required. Affected versions are listed as GStreamer up to and including 1.10.2; the fix is referenced in the GStreamer 1.10.3 release notes.
Defensive priority
High for environments that accept or process untrusted media files. The issue is remotely triggerable and can reliably terminate the parsing process, which is operationally significant even though the impact is availability only.
Recommended defensive actions
- Upgrade GStreamer / gst-plugins-good to 1.10.3 or later.
- Inventory products that bundle or statically ship gst-plugins-good and confirm they include the fixed release.
- Treat untrusted AVI files as attack surface and route them through patched parsers only.
- Add crash monitoring and fuzzing coverage for AVI demuxing paths if you maintain downstream media code.
- Use vendor and distro advisories referenced by the CVE to verify backported fixes in packaged builds.
Evidence notes
Grounded in the NVD CVE record and the referenced GStreamer release notes. NVD describes the flaw as an invalid memory read leading to crash in gst_avi_demux_parse_ncdt, assigns CWE-125, and lists vulnerable versions through 1.10.2. The GStreamer 1.10.3 release notes are cited as the vendor fix reference. Public references in the CVE metadata include an issue tracker entry (GNOME Bug 777532), mailing list discussion, and distro advisories. CVE published date used here is 2017-02-09; modified date is 2026-05-13.
Official resources
-
CVE-2017-5845 CVE record
CVE.org
-
CVE-2017-5845 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
- Source reference
-
Source reference
[email protected] - Issue Tracking
-
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
Public disclosure and coordination references in the source corpus date to early February 2017, with the CVE published on 2017-02-09. The vendor fix is referenced in GStreamer 1.10.3 release notes, and downstream advisories were issued by a