PatchSiren cyber security CVE debrief
CVE-2016-9634 Redhat CVE debrief
CVE-2016-9634 is a critical memory-safety issue in GStreamer's FLIC decoder. A crafted FLIC file can trigger a heap-based buffer overflow in flx_decode_delta_fli, which can crash affected applications and may allow remote code execution in software that processes untrusted media.
- Vendor
- Redhat
- Product
- CVE-2016-9634
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Teams running applications or services that decode user-supplied media with GStreamer, especially products or distributions that ship vulnerable GStreamer builds, should prioritize this issue. Security and platform teams should also care if the decoder is reachable through browsers, document viewers, chat clients, or any upload pipeline.
Technical summary
NVD describes a heap-based buffer overflow in gst/flx/gstflxdec.c within the flx_decode_delta_fli function in GStreamer's FLIC decoder. The attack surface is remote and requires no privileges or user interaction according to the CVSS vector. The vulnerable condition is reachable through the start_line parameter when parsing crafted input, with impact rated as high for confidentiality, integrity, and availability. NVD lists GStreamer versions through 1.10.1 as affected and maps downstream Red Hat Enterprise Linux and Debian package CPEs as vulnerable.
Defensive priority
Critical. This is a remotely triggerable memory corruption flaw in a media parser, so it should be remediated quickly wherever GStreamer or bundled downstream packages are exposed to untrusted input.
Recommended defensive actions
- Upgrade GStreamer to 1.10.2 or later, or apply the vendor/distribution backport that removes the vulnerable condition.
- Patch downstream packages from your OS vendor if you consume GStreamer through a distribution build rather than upstream source.
- Inventory applications and services that parse FLIC or other untrusted media with GStreamer and treat them as in-scope for remediation.
- Reduce exposure by sandboxing or isolating media processing components and restricting which file types are accepted from untrusted users.
- Monitor for crashes or abnormal terminations in media-handling workloads until patching is complete.
Evidence notes
The public CVE description and NVD record identify a heap-based buffer overflow in flx_decode_delta_fli in gst/flx/gstflxdec.c, triggered via the start_line parameter. NVD assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H and CWE-119. NVD also lists GStreamer through 1.10.1 as affected, with references including the GStreamer 1.10.2 release notes and multiple third-party advisories. The issue was publicly published on 2017-01-27 and later modified in NVD on 2026-05-13.
Official resources
-
CVE-2016-9634 CVE record
CVE.org
-
CVE-2016-9634 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
- Source reference
- Source reference
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Publicly disclosed in the CVE/NVD record on 2017-01-27; NVD last modified the record on 2026-05-13.