These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
An integer division-by-zero vulnerability exists in GStreamer gst-plugins-good before version 1.28.2. The flaw resides in the isomp4 plugin's qtdemux_audio_caps function, which fails to adequately validate atom data from MP4 audio tracks before performing division operations. This validation gap can trigger a denial-of-service condition when processing malformed MP4 files. The vulnerability was published [truncated]
A denial-of-service vulnerability exists in GStreamer gst-plugins-good versions prior to 1.28.2. The isomp4 plugin's qtdemux_parse_trak function fails to adequately validate atom data from MP4 audio tracks before performing division operations, resulting in integer division by zero. This flaw can be triggered when processing malformed MP4 files, causing the application to crash. The vulnerability is class [truncated]
CVE-2017-5846 is a denial-of-service vulnerability in GStreamer’s gst-plugins-ugly ASF demuxer. When parsing certain video files, gst_asf_demux_process_ext_stream_props could perform an invalid memory read and crash. The issue was publicly disclosed on 2017-02-09, and the NVD record was later updated on 2026-05-13. The fixed version referenced in the vendor release notes is 1.10.3.
CVE-2017-5845 is a high-severity denial-of-service issue in GStreamer's AVI demuxer. A malformed ncdt sub-tag in an AVI file can make gst_avi_demux_parse_ncdt read invalid memory and crash the process. GStreamer fixed the issue in 1.10.3; NVD lists affected gst-plugins-good versions through 1.10.2.
CVE-2017-5844 describes a denial-of-service issue in GStreamer’s ASF parsing path. The vulnerable function, gst_riff_create_audio_caps in gst-libs/gst/riff/riff-media.c, can trigger a floating point exception and crash when processing crafted ASF content. NVD maps the affected versions to gstreamer:gstreamer up to 1.10.2, and the GStreamer 1.10.3 release notes are the vendor reference for the fix.
CVE-2017-5843 describes multiple use-after-free flaws in GStreamer’s object and tag-list cleanup paths. According to the supplied NVD record, attackers could trigger a crash remotely by sending crafted media streams or stream tags, with the issue demonstrated by an MXF sample file. The vendor-fixed boundary is GStreamer 1.10.3, and NVD rates the impact as availability-only denial of service.
CVE-2017-5842 is a denial-of-service vulnerability in GStreamer's gst-plugins-base SMI subtitle parser. A crafted SMI file can trigger an out-of-bounds write in html_context_handle_element, and the issue was fixed in GStreamer 1.10.3. NVD assigns a medium severity score (CVSS 5.5) and lists availability impact as the primary concern.
CVE-2017-5841 is a remotely triggerable denial-of-service issue in GStreamer’s AVI demuxer. Crafted AVI content with ncdt tags can reach an out-of-bounds heap read in gst_avi_demux_parse_ncdt, affecting gst-plugins-good before 1.10.3 and versions through 1.10.2 per the supplied NVD data.
CVE-2017-5840 is a high-severity GStreamer issue in gst-plugins-good that can let a remote attacker cause a denial of service through an out-of-bounds heap read in qtdemux_parse_samples. The NVD record lists the vulnerable range as GStreamer versions through 1.10.2, and the vendor release notes point to 1.10.3 as the fixed release.
CVE-2017-5839 is a remotely triggerable denial-of-service issue in GStreamer’s gst-plugins-base component. The vulnerable code path can recurse too deeply when handling nested WAVEFORMATEX content, leading to stack overflow and crash. NVD rates the issue as high severity and maps affected versions through 1.10.2, with 1.10.3 referenced as the fix in the vendor release notes.
CVE-2017-5838 is a memory-safety denial-of-service issue in GStreamer’s datetime parsing code. According to the CVE record, a malformed ISO 8601 datetime string can trigger an out-of-bounds heap read in gst_date_time_new_from_iso8601_string(), affecting GStreamer versions before 1.10.3. The NVD record rates the issue as HIGH severity with network attack vector, no privileges required, and availability impact only.
CVE-2017-5837 is a denial-of-service issue in GStreamer's gst-plugins-base component. A crafted video file can trigger a floating point exception and crash in gst_riff_create_audio_caps, affecting versions before 1.10.3. The practical risk is service interruption in applications or systems that parse untrusted media with affected GStreamer builds.
CVE-2016-10199 affects GStreamer gst-plugins-good before 1.10.3. A crafted tag value can trigger an out-of-bounds read in qtdemux_tag_add_str_full, resulting in a remote denial of service by crashing the process. NVD lists the issue as published on 2017-02-09 and later updated metadata on 2026-05-13; that later date is not the vulnerability’s original issue date.
CVE-2016-10198 is a denial-of-service issue in GStreamer’s gst-plugins-good AAC parser. According to NVD, a crafted audio file can trigger an invalid memory read and crash in gst_aac_parse_sink_setcaps, affecting GStreamer versions up to 1.10.2. The issue was fixed in GStreamer 1.10.3.
CVE-2016-9447 is a memory-safety flaw in the NSF decoder used by GStreamer 0.10.x. A specially crafted NSF music file can trigger out-of-bounds read or write conditions, which can crash affected software and may create a path to arbitrary code execution. NVD rates the issue 7.8 HIGH and lists it as requiring user interaction, with the published CVSS vector indicating local attack conditions.
CVE-2016-9445 is a high-severity GStreamer vulnerability in the vmnc decoder. According to NVD, specially crafted input with large width and height values can trigger an integer overflow that leads to a buffer overflow and denial of service (crash). The NVD record lists network attackability with no privileges or user interaction required and identifies CWE-190.
CVE-2016-9813 is a denial-of-service issue in GStreamer’s mpegts parser. According to NVD, the _parse_pat function in GStreamer before 1.10.2 can be crashed by a crafted file, leading to a NULL pointer dereference. The impact is availability-only, and the published CVSS 3.0 vector reflects local execution with required user interaction.
CVE-2016-9812 is a high-severity GStreamer bug in the MPEG-TS decoder. A too-small section can trigger an out-of-bounds read in gst_mpegts_section_new, which NVD characterizes as a remote denial-of-service condition. NVD scopes the affected range to GStreamer versions through 1.10.1, and the upstream release notes point to 1.10.2 as the fix point.
CVE-2016-9810 is a denial-of-service vulnerability in GStreamer’s flxdex decoder. An invalid file can trigger an incorrect unref call in gst_decode_chain_free_internal, leading to an invalid memory read and crash. The affected range in NVD is GStreamer versions up to and including 1.10.1, with the vendor release notes indicating the fix in 1.10.2.
CVE-2016-9809 is an out-of-bounds read issue in GStreamer’s H.264 caps parsing logic. According to NVD, versions of GStreamer through 1.10.1 are affected, and the fix was released in 1.10.2. The vulnerability is associated with a high CVSS score (7.8) and should be treated as a priority for any environment that processes untrusted media content.
CVE-2016-9808 is a remote denial-of-service vulnerability in GStreamer’s FLIC decoder. According to the CVE description and NVD record, crafted skip/count pairs can trigger an out-of-bounds write and crash the process. The affected version range in the NVD CPE data is GStreamer through 1.10.1, with 1.10.2 listed in the vendor release notes as the fixed release.
CVE-2016-9807 is a denial-of-service issue in GStreamer's FLIC decoder. A crafted FLIC file can cause an invalid memory read and crash in flx_decode_chunks (gst/flx/gstflxdec.c) in versions before 1.10.2.