Skip to main content

GStreamer CVE-2016-10199

HIGH
Out-of-bounds Read (CWE-125)
2017-02-09 cve@mitre.org
7.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Feb 09, 2017 - 15:59 nvd
HIGH 7.5

DescriptionCVE.org

The qtdemux_tag_add_str_full function in gst/isomp4/qtdemux.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted tag value.

AnalysisAI

A memory safety vulnerability in GStreamer's MP4/QuickTime demuxer allows remote attackers to trigger an out-of-bounds read when processing malformed tag values in media files. The vulnerability affects GStreamer versions before 1.10.3 and can cause application crashes when parsing specially crafted MP4/MOV files. With an EPSS score of 3.13% (87th percentile), this vulnerability has moderate exploitation likelihood in the wild.

Technical ContextAI

The vulnerability exists in the qtdemux_tag_add_str_full function within the gst/isomp4/qtdemux.c component of the gst-plugins-good package in GStreamer multimedia framework (CPE: cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*). This function handles metadata tag parsing in ISO MP4/QuickTime format files. The root cause is a CWE-125 (Out-of-bounds Read) condition where the code fails to properly validate tag value boundaries before reading memory, leading to potential information disclosure through memory contents beyond the intended buffer.

RemediationAI

Upgrade GStreamer to version 1.10.3 or later as documented in the official GStreamer release notes at https://gstreamer.freedesktop.org/releases/1.10/#1.10.3. Linux distribution users should apply vendor-specific security updates: Debian users should reference DSA-3820, Red Hat users should apply RHSA-2017:2060, and Gentoo users should follow GLSA 201705-10. As a temporary mitigation until patching is complete, consider implementing input validation for media files from untrusted sources or isolating media processing operations in sandboxed environments to limit the impact of potential crashes.

Share

CVE-2016-10199 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy