PatchSiren cyber security CVE debrief
CVE-2016-9445 Gstreamer CVE debrief
CVE-2016-9445 is a high-severity GStreamer vulnerability in the vmnc decoder. According to NVD, specially crafted input with large width and height values can trigger an integer overflow that leads to a buffer overflow and denial of service (crash). The NVD record lists network attackability with no privileges or user interaction required and identifies CWE-190.
- Vendor
- Gstreamer
- Product
- CVE-2016-9445
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-23
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-23
- Advisory updated
- 2026-05-13
Who should care
Security teams and administrators running GStreamer-based media processing, especially deployments that handle untrusted or externally supplied media. Distribution maintainers and application vendors that bundle or depend on the vmnc decoder should also review their package status.
Technical summary
NVD describes an integer overflow in the vmnc decoder that can be reached through large width and height values, resulting in a buffer overflow and crash. The NVD CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and the weakness mapping is CWE-190. The NVD CPE criteria explicitly lists gstreamer 1.10.0 as vulnerable.
Defensive priority
High. Prioritize remediation if GStreamer is exposed to untrusted media or used in services that ingest remote content, because the flaw is remotely reachable and can cause service interruption without authentication or user interaction.
Recommended defensive actions
- Check whether your environment uses GStreamer 1.10.0 or a packaged build that includes the affected vmnc decoder.
- Apply the vendor or distribution security update referenced by the linked advisories and upstream fix commit.
- If the vmnc decoder is not needed, remove, disable, or sandbox that parsing path to reduce exposure to untrusted input.
- Treat media files from external sources as untrusted until patched systems are in place.
- Confirm remediation using your standard package inventory and rebuild processes for downstream distributions or embedded images.
Evidence notes
The source corpus identifies CVE-2016-9445 as a GStreamer vmnc decoder issue and NVD classifies it as CVE-190/CWE-190 with CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The record description says large width and height values can trigger an integer overflow, causing a buffer overflow and crash. Linked references include upstream Openwall announcements, a GNOME Bugzilla report, a freedesktop/GStreamer fix commit, Red Hat errata, SecurityFocus, and Gentoo GLSA coverage, which together support vendor and downstream remediation tracking.
Official resources
Publicly disclosed in the CVE/NVD record on 2017-01-23. The source corpus also links prior upstream and downstream references, including Openwall posts dated 2016-11-18 and later vendor advisories. The CVE record was last modified on 2026-5