PatchSiren cyber security CVE debrief
CVE-2016-9446 Redhat CVE debrief
CVE-2016-9446 is an information-disclosure vulnerability in the GStreamer vmnc decoder. The issue is that the render canvas is not initialized before use, so a crafted vmnc file can cause previously stored memory contents to be exposed during processing or thumbnailing. The public description cites a simple 1-frame vmnc movie that does not draw to the allocated render canvas as a demonstration case. NVD rates the issue as high severity with a network-exploitable, no-authentication attack profile and confidentiality impact only. The weakness is mapped to CWE-665 (Improper Initialization).
- Vendor
- Redhat
- Product
- CVE-2016-9446
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-23
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-23
- Advisory updated
- 2026-05-13
Who should care
Administrators and developers who deploy GStreamer or downstream packages that decode vmnc media should care, especially if untrusted files are thumbnailed, previewed, or processed automatically. That includes desktop environments, file managers, media services, and distribution maintainers shipping affected GStreamer builds.
Technical summary
The vmnc decoder fails to initialize the render canvas before use. If a crafted vmnc stream does not paint the canvas, later thumbnailing or rendering can read stale memory from that canvas area and expose sensitive information. According to NVD, affected GStreamer versions are those before 1.11.1, and the issue is classified under CWE-665.
Defensive priority
High
Recommended defensive actions
- Upgrade GStreamer to a fixed release at or above the version indicated by NVD (affected versions end before 1.11.1).
- Apply the vendor or downstream security update for your distribution, such as the Red Hat advisory referenced in the source corpus.
- Backport the upstream vmnc decoder fix if you maintain a packaged or embedded GStreamer build.
- Treat vmnc media as untrusted input and minimize automatic thumbnailing or preview generation for it until patched.
- Isolate media-processing components where practical so a decoder bug cannot expose broader application data.
- Verify deployed package versions across desktop, server, and image-processing systems that may include GStreamer plugins.
Evidence notes
The source corpus contains the NVD record, which lists the vulnerability description, CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), and CWE-665 mapping. It also includes upstream and downstream references: oss-security discussion threads dated 2016-11-18, the upstream freedesktop.org commit for vmncdec.c, GNOME Bugzilla, Red Hat errata, and Fedora/Gentoo advisories. The CVE record was published on 2017-01-23; the 2026-05-13 modified timestamp reflects later record maintenance and should not be treated as the original issue date.
Official resources
Public discussion appears in oss-security on 2016-11-18. The CVE record was published by NVD on 2017-01-23. The later 2026-05-13 modification timestamp is a record update, not the vulnerability's disclosure date.