CVE-2016-9446

HIGH
2017-01-23 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
CVE Published
Jan 23, 2017 - 21:59 nvd
HIGH 7.5

Tags

Information Disclosure Enterprise Linux Server Enterprise Linux Workstation Enterprise Linux Server Tus Enterprise Linux Desktop Fedora Enterprise Linux Server Aus Gstreamer Enterprise Linux Eus

Description

The vmnc decoder in the gstreamer does not initialize the render canvas, which allows remote attackers to obtain sensitive information as demonstrated by thumbnailing a simple 1 frame vmnc movie that does not draw to the allocated render canvas.

Analysis

The GStreamer multimedia framework contains an uninitialized memory vulnerability in its VMNC (VMware VNC) decoder that allows remote attackers to read sensitive information from process memory. When processing specially crafted VMNC video files (such as a single-frame movie that doesn't draw to the canvas), the decoder exposes uninitialized memory contents that may contain passwords, cryptographic keys, or other sensitive data from the application's memory space. A proof-of-concept exploit exists and has been publicly disclosed, with an EPSS score of 1.28% indicating moderate real-world exploitation likelihood.

Technical Context

The vulnerability affects the VMNC (VMware VNC) decoder component within GStreamer's gst-plugins-bad package, as identified by CPE cpe:2.3:a:gstreamer:gstreamer. VMNC is a video codec format used primarily for screen recording and remote desktop applications. The root cause is CWE-665 (Improper Initialization), where the decoder fails to properly initialize the render canvas memory buffer before use. When thumbnailing or processing VMNC video files, if the video frames don't completely overwrite the allocated canvas buffer, the uninitialized memory regions remain accessible and can be extracted from the resulting output, potentially exposing whatever data previously occupied those memory addresses.

Affected Products

GStreamer versions prior to the November 2016 patch are affected, specifically the gst-plugins-bad component containing the VMNC decoder (cpe:2.3:a:gstreamer:gstreamer). Red Hat Enterprise Linux 7.x and its variants (Desktop, Server, EUS, AUS) through version 7.7 are confirmed vulnerable based on the CPE entries and Red Hat's security advisory RHSA-2017:2060. Fedora Linux distributions were also affected as noted in the Fedora security announcement. Gentoo Linux addressed this in security advisory GLSA-201705-10. The original vulnerability report came from [email protected] to the GStreamer project.

Remediation

Apply the patch commit 4cb1bcf1422bbcd79c0f683edb7ee85e3f7a31fe from the GStreamer gst-plugins-bad repository, which properly initializes the render canvas buffer. For Red Hat Enterprise Linux 7 users, install the updates provided in RHSA-2017:2060. Fedora users should apply the updates announced at the Fedora package announcement list. Gentoo users should follow GLSA-201705-10 guidance. As a temporary mitigation, disable VMNC codec support or avoid processing untrusted VMNC video files until patching is complete. Organizations should particularly focus on patching systems that automatically process video content from untrusted sources, such as web browsers with media preview capabilities or automated thumbnail generation services.

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +1.3
CVSS: +38
POC: 0

Share

CVE-2016-9446 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy