PatchSiren cyber security CVE debrief

CVE-2016-9636 Redhat CVE debrief

CVE-2016-9636 is a critical heap-based buffer overflow in GStreamer's FLIC decoder. A crafted FLIC file can drive a write count beyond the initialized buffer in flx_decode_delta_fli, creating a remote code execution or crash risk. NVD rates the issue 9.8/CRITICAL with network attackability and no privileges or user interaction required.

Vendor: Redhat
Product: CVE-2016-9636
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Teams that ship, embed, or depend on GStreamer media parsing should treat this as urgent, especially desktop, server, and application stacks that process untrusted media files. Linux distro maintainers and security teams for affected downstream packages should also verify patched versions are deployed.

Technical summary

The vulnerable code path is flx_decode_delta_fli in gst/flx/gstflxdec.c within GStreamer's FLIC decoder. NVD describes a heap-based buffer overflow caused when a provided write count exceeds the initialized buffer. The affected upstream range is GStreamer through 1.10.1, with 1.10.2 identified in the release notes as the fixing release. NVD also maps impacted downstream CPEs for Red Hat Enterprise Linux 6 variants and Debian 8.

Defensive priority

Immediate. This is a remotely reachable memory corruption issue with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, so patched deployment and exposure review should be prioritized now.

Recommended defensive actions

Upgrade GStreamer to 1.10.2 or later, or install the relevant vendor security update if you consume distro packages.
Confirm whether any applications or services ingest untrusted FLIC/media content through GStreamer and prioritize those systems first.
Inventory systems matching the affected CPEs in NVD, including GStreamer up to 1.10.1 and downstream Red Hat Enterprise Linux 6 and Debian 8 package lineages.
Validate that patched libraries are actually loaded at runtime, especially in bundled or containerized applications.
Treat crashes in media parsing paths as security-relevant until patch levels are confirmed.
Use the linked vendor advisories and release notes to align remediation with your distribution's packaging cadence.

Evidence notes

Primary evidence comes from the NVD CVE record, which describes a heap-based buffer overflow in flx_decode_delta_fli in GStreamer's FLIC decoder and assigns CVSS 3.0 9.8/CRITICAL. The NVD record lists affected upstream versions through 1.10.1 and includes downstream CPE mappings for Red Hat Enterprise Linux 6 variants and Debian 8. The GStreamer 1.10.2 release notes are referenced as the vendor-fix pointer. The oss-security mailing list reference and GNOME bug tracker entry provide additional public disclosure context, while the Red Hat and Debian advisories show downstream remediation tracking.

Official resources

CVE-2016-9636 CVE record
CVE.org
CVE-2016-9636 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Third Party Advisory
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

CVE published 2017-01-27T22:59:02.053Z. Public references in the supplied corpus include a 2016 oss-security mailing list post, GNOME bug tracking, and vendor advisories; NVD was last modified on 2026-05-13T00:24:29.033Z. The CVE issue date