GStreamer CVE-2016-10198
MEDIUMSeverity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
The gst_aac_parse_sink_setcaps function in gst/audioparsers/gstaacparse.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted audio file.
AnalysisAI
An invalid memory read vulnerability exists in the gst_aac_parse_sink_setcaps function within GStreamer's AAC audio parser component (gst-plugins-good). Remote attackers can trigger a denial of service by providing a specially crafted AAC audio file, causing the application to crash. With an EPSS score of 0.76% (73rd percentile) and low attack complexity requiring only user interaction to open a malicious file, this vulnerability represents a moderate practical risk despite the moderate CVSS 5.5 score.
Technical ContextAI
The vulnerability resides in GStreamer's audio parsing infrastructure, specifically in the Advanced Audio Coding (AAC) parser module within gst-plugins-good. The affected component (gst/audioparsers/gstaacparse.c) handles the capability negotiation during audio stream setup. The root cause is classified as CWE-125 (Out-of-bounds Read), indicating improper bounds checking when reading memory during AAC file parsing. When the gst_aac_parse_sink_setcaps function processes a malformed AAC file with invalid metadata or frame headers, it fails to validate buffer boundaries before dereferencing memory, leading to an out-of-bounds read. GStreamer versions prior to 1.10.3 are affected, as confirmed via CPE cpe:2.3:a:gstreamer:gstreamer. The vulnerability impacts all applications built on or linked against the vulnerable gst-plugins-good library for audio playback functionality.
RemediationAI
Upgrade GStreamer to version 1.10.3 or later immediately. Users should reference the official GStreamer 1.10.3 release notes at https://gstreamer.freedesktop.org/releases/1.10/#1.10.3 for download and installation instructions. For distribution users, apply vendor-supplied patches: Debian/Ubuntu users should install security updates from DSA-3820 or later; Red Hat/CentOS users should apply RHSA-2017:2060 or subsequent updates. If immediate patching is impossible, implement application-level controls by restricting GStreamer usage to trusted audio sources and disabling automatic media playback from untrusted origins. Organizations running media servers or transcoding services should prioritize this update as a high-priority maintenance task given the widespread deployment of GStreamer in audio/video processing pipelines.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today