CVE-2016-9446
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The vmnc decoder in the gstreamer does not initialize the render canvas, which allows remote attackers to obtain sensitive information as demonstrated by thumbnailing a simple 1 frame vmnc movie that does not draw to the allocated render canvas.
AnalysisAI
The GStreamer multimedia framework contains an uninitialized memory vulnerability in its VMNC (VMware VNC) decoder that allows remote attackers to read sensitive information from process memory. When processing specially crafted VMNC video files (such as a single-frame movie that doesn't draw to the canvas), the decoder exposes uninitialized memory contents that may contain passwords, cryptographic keys, or other sensitive data from the application's memory space. A proof-of-concept exploit exists and has been publicly disclosed, with an EPSS score of 1.28% indicating moderate real-world exploitation likelihood.
Technical ContextAI
The vulnerability affects the VMNC (VMware VNC) decoder component within GStreamer's gst-plugins-bad package, as identified by CPE cpe:2.3:a:gstreamer:gstreamer. VMNC is a video codec format used primarily for screen recording and remote desktop applications. The root cause is CWE-665 (Improper Initialization), where the decoder fails to properly initialize the render canvas memory buffer before use. When thumbnailing or processing VMNC video files, if the video frames don't completely overwrite the allocated canvas buffer, the uninitialized memory regions remain accessible and can be extracted from the resulting output, potentially exposing whatever data previously occupied those memory addresses.
RemediationAI
Apply the patch commit 4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe from the GStreamer gst-plugins-bad repository, which properly initializes the render canvas buffer. For Red Hat Enterprise Linux 7 users, install the updates provided in RHSA-2017:2060. Fedora users should apply the updates announced at the Fedora package announcement list. Gentoo users should follow GLSA-201705-10 guidance. As a temporary mitigation, disable VMNC codec support or avoid processing untrusted VMNC video files until patching is complete. Organizations should particularly focus on patching systems that automatically process video content from untrusted sources, such as web browsers with media preview capabilities or automated thumbnail generation services.
Same weakness CWE-665 – Improper Initialization
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today