CVE-2016-10198 Gstreamer CVE debrief

Who should care

Administrators and developers running GStreamer-based applications that process AAC or other untrusted media files, especially where gst-plugins-good version 1.10.2 or earlier may be present.

Technical summary

NVD classifies this as CWE-125 (out-of-bounds/invalid memory read) in gst/audioparsers/gstaacparse.c, specifically the gst_aac_parse_sink_setcaps function in gst-plugins-good. The vulnerable package range is listed as GStreamer versions through 1.10.2, with the fix released in 1.10.3. The NVD CVSS 3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating availability impact from a crash and that user interaction is required.

Defensive priority

Medium. This is a crash-only vulnerability, but it can be triggered by untrusted media handling and may affect desktop, server, or embedded deployments that auto-process audio content.

Recommended defensive actions

• Upgrade GStreamer to 1.10.3 or later if you are on a affected 1.10.x line.
• Verify whether applications bundle or statically link gst-plugins-good, not just whether the OS package is patched.
• Review any workflows that ingest untrusted AAC or other media files and reduce automatic processing where practical.
• Use vendor advisories and distro security notices to confirm backported fixes for your platform.
• If you cannot upgrade immediately, treat unknown media as untrusted input and isolate processing where feasible.

Evidence notes

NVD lists the vulnerability as a crash/invalid memory read in gst_aac_parse_sink_setcaps and maps affected versions to GStreamer up to 1.10.2. The vendor release notes for 1.10.3 are cited as the fix point. Related advisories include GNOME issue 775450, Debian DSA-3820, and Red Hat RHSA-2017:2060. Dates used here follow the CVE/NVD published date of 2017-02-09 and modified date of 2026-05-13.

Official resources