CVE-2017-5665 Libmp3splt Project CVE debrief

Who should care

Maintain ers and users of libmp3splt 0.9.2, especially distributions or applications that parse untrusted cue/audio files through libmp3splt.

Technical summary

NVD maps the issue to libmp3splt 0.9.2 and classifies it as CWE-476. The reported flaw is a NULL pointer dereference in splt_cue_export_to_file within cue.c, which can be triggered by crafted file input and results in a crash. NVD’s CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating availability impact with user interaction required.

Defensive priority

Medium. This is an availability-only crash issue, but it can still disrupt desktop or processing workflows that handle untrusted files. Prioritize if your environment processes user-supplied cue/audio content or ships libmp3splt in a user-facing application.

Recommended defensive actions

• Inventory systems and packages using libmp3splt 0.9.2.
• Apply vendor or distribution security updates for libmp3splt when available.
• Restrict or sandbox parsing of untrusted cue/audio files until patched.
• Treat unexpected crashes in file-processing workflows as potential indicators of this issue and review affected logs.
• If you maintain downstream software, verify whether your build inherits libmp3splt 0.9.2 and issue a patched release promptly.

Evidence notes

Supported by the NVD record and the cited Gentoo advisory reference. NVD lists the affected CPE as libmp3splt_project:libmp3splt:0.9.2 and assigns CVSS 3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The weakness is CWE-476. The public record was published on 2017-03-01 and modified on 2026-05-13.

Official resources