PatchSiren cyber security CVE debrief

CVE-2016-9810 Gstreamer CVE debrief

CVE-2016-9810 is a denial-of-service vulnerability in GStreamer’s flxdex decoder. An invalid file can trigger an incorrect unref call in gst_decode_chain_free_internal, leading to an invalid memory read and crash. The affected range in NVD is GStreamer versions up to and including 1.10.1, with the vendor release notes indicating the fix in 1.10.2.

Vendor: Gstreamer
Product: CVE-2016-9810
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-13
Original CVE updated: 2026-05-13
Advisory published: 2017-01-13
Advisory updated: 2026-05-13

Who should care

Teams that ship or embed GStreamer, especially gst-plugins-good with flxdex support, and any application that processes untrusted media files. This is most relevant where malformed input can reach desktop, server, or embedded media pipelines.

Technical summary

NVD maps the issue to CWE-125 (out-of-bounds/invalid memory read) and classifies the impact as availability only. The CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, reflecting a crash condition that requires user interaction with a crafted file rather than direct remote code execution. The vulnerable component is the flxdex decoder in gst-plugins-good, and the referenced fix is in GStreamer 1.10.2 release notes.

Defensive priority

Medium. The issue is a crash/availability problem rather than a code-execution flaw, but it can still disrupt applications that open attacker-supplied files. Prioritize if you process untrusted media or support older GStreamer 1.10.x deployments.

Recommended defensive actions

Upgrade GStreamer to 1.10.2 or later, or backport the vendor fix to any supported older branch.
Audit deployments for gst-plugins-good and flxdex-enabled builds that may still be on 1.10.1 or earlier.
Treat untrusted media files as hostile input and route them through updated parsing components first.
Validate vendor packages and distro advisories for patched builds, especially where downstream distributions shipped their own fixes.
Add crash monitoring for media-parsing paths so malformed-file failures are detected quickly in production.

Evidence notes

The vulnerability description comes from the supplied CVE/NVD record and states that gst_decode_chain_free_internal in the flxdex decoder can crash on an invalid file due to an incorrect unref call. NVD lists the affected CPE range through 1.10.1 and a CVSS 3.0 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. Supporting references include the GStreamer 1.10.2 release notes, GNOME Bugzilla issue 774897, and related advisories from Red Hat, Gentoo, and SecurityFocus.

Official resources

CVE-2016-9810 CVE record
CVE.org
CVE-2016-9810 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected] - Issue Tracking
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
Source reference
[email protected]

Publicly disclosed on 2017-01-13 per the supplied CVE publication timestamp. The supplied record was later modified on 2026-05-13; that modified date is not the original issue date.