PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-9635 Redhat CVE debrief

CVE-2016-9635 is a critical memory-corruption flaw in GStreamer's FLIC decoder. A malformed "skip count" can run past the initialized buffer in flx_decode_delta_fli, which can crash the application and may allow arbitrary code execution. The vulnerable GStreamer line is listed as versions through 1.10.1, with a fix in 1.10.2 and downstream advisories for packaged Linux distributions.

Vendor
Redhat
Product
CVE-2016-9635
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Teams that ship or embed GStreamer, especially media-processing services, desktop applications, and Linux distribution maintainers. Security teams should also review any products that parse untrusted FLIC media via GStreamer.

Technical summary

NVD describes a heap-based buffer overflow in gst/flx/gstflxdec.c, specifically in flx_decode_delta_fli within the FLIC decoder. The condition is triggered when a provided skip count goes beyond the initialized buffer. NVD maps this to CWE-119 and rates the issue CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating a remotely reachable flaw with no privileges or user interaction required. The vulnerable GStreamer range is listed as through 1.10.1, and the GStreamer 1.10.2 release notes are included as the fix reference.

Defensive priority

High. This is network-reachable, unauthenticated, and can affect confidentiality, integrity, and availability. Treat it as urgent for any environment that processes untrusted media with affected GStreamer builds.

Recommended defensive actions

  • Upgrade GStreamer to 1.10.2 or later, or apply the vendor backport provided by your distribution.
  • Check downstream packages and advisories for affected platforms, including the referenced Red Hat and Debian security notices.
  • Inventory applications and services that parse FLIC media through GStreamer, including indirect dependencies.
  • Isolate or sandbox media parsing workloads where practical to reduce the impact of decoder memory corruption.
  • If FLIC support is not required, disable or remove the decoder path in your deployment.
  • Rebuild and redeploy affected containers, images, and appliances after patching to ensure the fixed library is in use.

Evidence notes

The supplied NVD record names the vulnerable function, the skip-count condition, the affected version range through 1.10.1, and the CWE/CVSS data. It also points to the GStreamer 1.10.2 release notes, a GNOME bug tracker entry, an oss-security mailing list post from 2016-11-24, and downstream Red Hat and Debian advisories. The CVE was published on 2017-01-27 and later modified in NVD metadata on 2026-05-13; that modified date is not the original issue date.

Official resources

Public discussion appears in the supplied 2016-11-24 oss-security reference, with the CVE published by NVD on 2017-01-27 and later updated in NVD metadata on 2026-05-13.