CVE-2016-9811 Redhat CVE debrief

Who should care

Administrators and developers who deploy or bundle GStreamer gst-plugins-base before 1.10.2, especially systems that process untrusted image/media content. This also matters for downstream Linux distributions and product teams that ship affected GStreamer packages, including the distro advisories and CPEs referenced by NVD (for example Debian, Fedora, and Red Hat-related package and platform entries).

Technical summary

The vulnerable code path is windows_icon_typefind in gst-plugins-base. According to the NVD record, a crafted ICO file can cause an out-of-bounds read, leading to denial of service. The weakness is mapped to CWE-125. NVD lists affected GStreamer versions up to and including 1.10.1, with the fixed release noted in GStreamer 1.10.2. The CVSS 3.1 vector in NVD is AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H, which is important context when assessing exposure.

Defensive priority

Medium. The impact is availability-focused and the CVSS score is moderate, but the flaw affects parsing of untrusted content and can be relevant in media-processing or desktop pipelines that ingest user-supplied ICO files.

Recommended defensive actions

• Upgrade GStreamer gst-plugins-base to 1.10.2 or later, as indicated by the vendor release notes.
• Check downstream packages and distro advisories referenced by NVD, including Debian, Red Hat, Fedora, and Gentoo guidance, to confirm whether your platform still includes a vulnerable build.
• Review applications or services that process ICO files through GStreamer and restrict exposure to untrusted inputs where feasible.
• If immediate upgrading is not possible, prioritize compensating controls that reduce untrusted file ingestion in affected workflows.
• Verify package inventories against the affected CPE criteria in the NVD record to identify impacted deployments.

Evidence notes

All key claims are supported by the supplied NVD record and linked advisories. The description states the flaw is in windows_icon_typefind in gst-plugins-base before 1.10.2 and that a crafted ico file can cause an out-of-bounds read and DoS. NVD also provides the CWE-125 mapping, CVSS 3.1 vector, and affected CPE criteria. The GStreamer 1.10 release notes link is the clearest vendor-side indicator of the fixed version. Note that the NVD description says 'remote attackers,' while the CVSS vector includes AV:L and UI:R; that discrepancy should be treated cautiously and not expanded beyond the source corpus.

Official resources