CVE-2016-9808 Gstreamer CVE debrief

Who should care

Teams that deploy GStreamer components capable of parsing FLIC content, especially services or applications that process untrusted media from users or external sources. Security and platform owners should also care if GStreamer is shipped as a dependency in desktops, browsers, media pipelines, or server-side transcoding workflows.

Technical summary

NVD classifies the issue as CWE-787 (out-of-bounds write). The attack surface is network-reachable in the CVSS vector (AV:N, AC:L, PR:N, UI:N), but the practical trigger is malicious FLIC data supplied to the decoder. The documented impact is availability only (A:H), consistent with a crash/DoS rather than a confidentiality or integrity impact.

Defensive priority

High. The CVSS score is 7.5 and the issue is remotely triggerable with no privileges or user interaction. Prioritize patching systems that handle untrusted media or expose GStreamer-based decoding in shared services.

Recommended defensive actions

• Upgrade GStreamer to 1.10.2 or a later fixed release referenced by the vendor advisory.
• Inventory applications and services that use GStreamer FLIC decoding, including indirect dependencies.
• Restrict or validate untrusted media ingestion where feasible until patched.
• Monitor for crashes or instability in media-processing components that may indicate malformed FLIC input.
• Confirm vendor-provided package updates or errata are applied on supported distributions.

Evidence notes

The CVE description states that the FLIC decoder in GStreamer before 1.10.2 allows remote attackers to cause a denial of service via an out-of-bounds write and crash using crafted skip/count pairs. NVD lists CWE-787 and a vulnerable version range ending at 1.10.1. The vendor release notes for 1.10.2 are cited as the fix reference. This debrief uses the CVE publication date of 2017-01-13 for timing context; the 2026-05-13 NVD modification date is not treated as the issue date.

Official resources