CVE-2016-10199 Gstreamer CVE debrief

Who should care

Teams that embed or ship GStreamer, especially systems using gst-plugins-good for media parsing, should care most. This also matters for distributors and maintainers of downstream packages that inherited the vulnerable version range.

Technical summary

NVD describes the flaw as an out-of-bounds read in qtdemux_tag_add_str_full in gst/isomp4/qtdemux.c, triggered by a crafted tag value. The impact is availability only: a remote attacker can cause a crash, with no confidentiality or integrity impact listed in the CVSS vector. NVD assigns CWE-125 and a CVSS v3.0 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The vulnerable version range in NVD is GStreamer through 1.10.2, with 1.10.3 identified in the vendor release notes as the fixed release.

Defensive priority

High for exposed multimedia services and any application that parses untrusted media or container metadata with vulnerable GStreamer builds. The attack requires no privileges or user interaction and is network-reachable in the CVSS vector, so patching should be prioritized where the parser is reachable from untrusted inputs.

Recommended defensive actions

• Upgrade GStreamer gst-plugins-good to 1.10.3 or a vendor-patched package version.
• Confirm whether your deployed package set includes gst/isomp4/qtdemux from the affected GStreamer branch and whether downstream distributions have backported the fix.
• Review applications that ingest attacker-controlled media or tags and ensure they are running on fixed builds before re-enabling exposure.
• Use the vendor release notes and downstream advisories to verify the exact fixed package version in your environment.
• Treat unexpected crashes in media parsing paths as a potential indicator of exposure to malformed inputs and validate that patched versions are deployed.

Evidence notes

The vulnerability description, affected component, and exploit impact come from the NVD record for CVE-2016-10199. NVD lists the vulnerable CPE range as GStreamer versions up to and including 1.10.2 and the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The record also cites CWE-125. Supporting references include the GStreamer 1.10.3 release notes, GNOME Bugzilla issue 775451, and downstream advisories from Debian, Red Hat, and Gentoo. The timeline here uses the CVE publication date of 2017-02-09; the 2026-05-13 modified date reflects later metadata updates, not the original disclosure date.

Official resources