PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-9812 Gstreamer CVE debrief

CVE-2016-9812 is a high-severity GStreamer bug in the MPEG-TS decoder. A too-small section can trigger an out-of-bounds read in gst_mpegts_section_new, which NVD characterizes as a remote denial-of-service condition. NVD scopes the affected range to GStreamer versions through 1.10.1, and the upstream release notes point to 1.10.2 as the fix point.

Vendor
Gstreamer
Product
CVE-2016-9812
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-13
Original CVE updated
2026-05-13
Advisory published
2017-01-13
Advisory updated
2026-05-13

Who should care

Teams that process untrusted MPEG-TS content with GStreamer should prioritize this, especially if they run GStreamer 1.10.1 or earlier or ship downstream packages built from that branch. This includes media players, streaming services, set-top or embedded devices, and any application that parses externally supplied transport streams.

Technical summary

The issue is an out-of-bounds read in gst_mpegts_section_new within GStreamer's mpegts decoder. According to NVD, the weakness is CWE-125 and the attack surface is network-based, requires no privileges or user interaction, and impacts availability only. The vulnerable version range in the NVD CPE data ends at 1.10.1, while the GStreamer 1.10.2 release page is cited as the remediation reference.

Defensive priority

High — patch promptly if GStreamer is used to parse externally supplied MPEG-TS data or if any deployed build is at 1.10.1 or earlier.

Recommended defensive actions

  • Upgrade GStreamer to 1.10.2 or a later fixed release referenced by your distribution or vendor.
  • Confirm whether any downstream packages, firmware images, or embedded products still bundle GStreamer 1.10.1 or earlier.
  • Inventory applications and services that accept untrusted MPEG-TS input and treat them as in scope for remediation.
  • If immediate upgrading is not possible, limit exposure by restricting untrusted media sources and monitoring for parser crashes or abnormal termination.
  • Validate vendor advisories and backports from your OS or appliance vendor, since downstream fixes may be shipped separately from upstream version numbers.

Evidence notes

The vulnerability description states that gst_mpegts_section_new in the mpegts decoder can read out of bounds when given a too-small section. NVD lists CWE-125 and a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and the affected CPE range ends at version 1.10.1. The GStreamer 1.10.2 release page is included in the source set as the remediation reference, and downstream advisories from Red Hat, Debian, and Gentoo are also linked in the official references.

Official resources

CVE-2016-9812 was published on 2017-01-13. The official reference set includes upstream discussion and coordination links from early December 2016, followed by downstream vendor advisories in 2017.