CVE-2016-9813 Gstreamer CVE debrief

Who should care

Administrators and developers who deploy or embed GStreamer, especially applications that process untrusted media files using the mpegts parser. Security teams responsible for desktop, media-processing, or pipeline-based systems should verify whether any installed GStreamer package is older than 1.10.2.

Technical summary

NVD identifies a CWE-476 NULL pointer dereference in the mpegts parser’s _parse_pat function. The affected CPE range is GStreamer versions up to and including 1.10.1. A crafted file can trigger a crash, producing a denial of service rather than code execution or data theft based on the supplied record.

Defensive priority

Medium. The issue is a crash-triggering availability flaw with CVSS 5.5, but it requires local execution and user interaction. Prioritize systems that routinely open untrusted media or that expose GStreamer-based processing to external content.

Recommended defensive actions

• Upgrade GStreamer to 1.10.2 or later, as referenced by the vendor release notes.
• Inventory systems and applications that bundle or dynamically link GStreamer and confirm the installed version is not affected.
• Treat untrusted media files as a risk input and route them through patched builds before processing.
• If immediate upgrading is not possible, restrict handling of untrusted files on exposed systems until remediation is complete.
• Validate vendor and distro advisories for package-specific backports, such as the referenced Red Hat and Debian notices.

Evidence notes

The vulnerability description, affected version range, weakness classification, and CVSS vector come from the supplied NVD record. References include the GStreamer 1.10.2 release notes, GNOME bug tracker entry 775120, and distro advisories from Red Hat and Debian. The record is published on 2017-01-13 and later modified on 2026-05-13; those dates are used only as record timing context.

Official resources