CVE-2017-5666 Mp3splt Project CVE debrief

Who should care

Anyone running or packaging mp3splt 2.6.2, especially systems that process user-supplied or otherwise untrusted files. Availability-sensitive environments should treat this as a crash-risk issue.

Technical summary

The vulnerable code path is in free_options() within options_manager.c. NVD maps the weakness to CWE-416 (Use After Free / invalid free class) and notes a user-interaction requirement in its CVSS vector. The supplied CVE description says a crafted file can trigger the crash; the resulting impact in the official record is denial of service, with no confidentiality or integrity impact assigned.

Defensive priority

Medium priority: the issue is limited to a specific version and is primarily a denial-of-service condition, but it can reliably crash processing of crafted input and should be addressed in any workflow that ingests untrusted files.

Recommended defensive actions

• Inventory any systems, packages, or containers that include mp3splt 2.6.2.
• Avoid processing untrusted or externally supplied files with mp3splt until a verified non-vulnerable build is in place.
• If removal is not immediately possible, isolate the tool in a sandbox or low-privilege environment to reduce blast radius from crashes.
• Monitor jobs and services that invoke mp3splt for unexpected termination or repeated crash loops.
• Track vendor or distribution advisories for a patched release before re-enabling normal file-processing workflows.

Evidence notes

The supplied official record identifies the weakness as CWE-416 and provides a CVSS vector of AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The CVE description states that a crafted file can trigger an invalid free and crash. The reference set also includes a Gentoo blog advisory tagged as Exploit/Third Party Advisory and a SecurityFocus BID reference. This debrief does not rely on any exploit details beyond the official descriptions and references.

Official resources