CVE-2017-5851 Mp3splt Project CVE debrief

Who should care

Anyone operating mp3splt 2.6.2, especially in workflows that process untrusted or user-supplied media files. This matters most for systems where a crash would interrupt batch processing or where the tool is embedded in automation.

Technical summary

The vulnerable code path is free_options() in options_manager.c. According to the supplied NVD record and linked advisory reference, a crafted file can reach a null pointer dereference and terminate the process. The NVD metadata lists the issue as local, low-complexity, no-privileges, and user-interaction required, with no impact to confidentiality or integrity and availability impact limited to a crash.

Defensive priority

Moderate for environments that routinely ingest untrusted files; low for systems where mp3splt is rarely used or only handles trusted inputs. Prioritize containment and input-sourcing controls over emergency response.

Recommended defensive actions

• Identify whether mp3splt 2.6.2 is installed or embedded in any processing pipeline.
• Avoid processing untrusted or externally supplied files with the affected version.
• Constrain the tool with sandboxing or other execution isolation if it must remain in use.
• Monitor for unexpected crashes in jobs that invoke mp3splt and treat them as a signal to review input handling.
• Track upstream project guidance for a patched release or replacement path before continuing broad deployment.

Evidence notes

All claims are derived from the supplied CVE record, the NVD detail, and the linked third-party advisory reference. The CVE was published on 2017-03-01; the 2026-05-13 timestamp is the record modification date, not the issue date. The official record lists mp3splt 2.6.2 as vulnerable and provides the CVSS v3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H with CWE-476.

Official resources