CVE-2016-9809 Gstreamer CVE debrief

Who should care

Teams running applications or services that depend on GStreamer for media parsing or playback, especially where files may come from untrusted sources. This includes desktop multimedia applications, streaming or transcoding services, and Linux distribution maintainers responsible for packaged GStreamer builds.

Technical summary

NVD describes an off-by-one error in gst_h264_parse_set_caps that can trigger an out-of-bounds read when a crafted file is processed. The vulnerable CPE range covers GStreamer versions up to and including 1.10.1. The vendor release notes for 1.10.2 are listed as the fixing reference, and related issue tracking and distribution advisories are linked in the source corpus.

Defensive priority

High

Recommended defensive actions

• Upgrade GStreamer to 1.10.2 or a vendor-patched version that includes the fix.
• Inventory systems and applications that embed or depend on GStreamer, including packaged libraries in Linux distributions.
• Prioritize remediation for services that accept or parse untrusted media files.
• Apply vendor and distribution advisories referenced in the record, including Red Hat, Debian, and Gentoo notices where applicable.
• Validate post-upgrade behavior with representative media workloads and monitor for parser crashes or abnormal warnings.

Evidence notes

The source corpus includes the NVD CVE record, GStreamer 1.10.2 release notes, a GNOME Bugzilla issue entry, and multiple distribution advisories (Red Hat, Debian, Gentoo). NVD lists the affected range as GStreamer versions through 1.10.1 and identifies CWE-125. The CVE was published on 2017-01-13; earlier reference links in the record date to December 2016, which supports that the issue was publicly discussed before the CVE publication date.

Official resources