PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-9447 Gstreamer CVE debrief

CVE-2016-9447 is a memory-safety flaw in the NSF decoder used by GStreamer 0.10.x. A specially crafted NSF music file can trigger out-of-bounds read or write conditions, which can crash affected software and may create a path to arbitrary code execution. NVD rates the issue 7.8 HIGH and lists it as requiring user interaction, with the published CVSS vector indicating local attack conditions.

Vendor
Gstreamer
Product
CVE-2016-9447
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-23
Original CVE updated
2026-05-13
Advisory published
2017-01-23
Advisory updated
2026-05-13

Who should care

Administrators, distro maintainers, and application teams that still ship or embed GStreamer 0.10.x, especially where media parsing is exposed to untrusted NSF files. Security teams should also care if desktop, media-center, or automated content-processing workflows can open attacker-supplied audio files.

Technical summary

The vulnerable component is the NSF decoder’s ROM mapping logic in GStreamer 0.10.x. The NVD entry maps the issue to CWE-125 (out-of-bounds read) and CWE-787 (out-of-bounds write). The vulnerability is triggered by a crafted NSF music file and can result in denial of service; the CVE description also notes possible arbitrary code execution. The NVD CVSS 3.0 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Defensive priority

High for any environment that parses untrusted NSF content with GStreamer 0.10.x; moderate otherwise because exploitation depends on file handling and user interaction.

Recommended defensive actions

  • Upgrade or replace affected GStreamer 0.10.x deployments with a non-vulnerable supported release.
  • Disable NSF decoding or remove support for NSF files if the format is not required.
  • Treat untrusted media files as hostile and restrict where users or services can open them.
  • Prioritize patching systems that automatically preview, catalog, or transcode user-supplied audio content.
  • Validate that downstream packages and embedded products have inherited the vendor fix or equivalent mitigation.

Evidence notes

This debrief is based on the NVD CVE record and the references listed there. The CVE description states that ROM mappings in the NSF decoder in GStreamer 0.10.x allow remote attackers to cause denial of service and possibly execute arbitrary code via a crafted NSF music file. The NVD record also supplies the CVSS 3.0 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), weaknesses CWE-125 and CWE-787, and affected 0.10.x CPE entries. Referenced advisories and discussions include Red Hat errata, Openwall oss-security posts, a SecurityFocus BID, and Gentoo GLSA 201705-10.

Official resources

CVE-2016-9447 was published on 2017-01-23. The reference set in the NVD record includes related 2016 disclosure material and vendor advisories, while the 2026 modified timestamp reflects later record updates rather than the vulnerability's