Skip to main content

CVE-2016-9447

HIGH
Out-of-bounds Read (CWE-125)
2017-01-23 security@opentext.com
7.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
CVE Published
Jan 23, 2017 - 21:59 nvd
HIGH 7.8

DescriptionCVE.org

The ROM mappings in the NSF decoder in gstreamer 0.10.x allow remote attackers to cause a denial of service (out-of-bounds read or write) and possibly execute arbitrary code via a crafted NSF music file.

AnalysisAI

A vulnerability in the ROM mappings of the NSF decoder in GStreamer 0.10.x allows remote attackers to trigger out-of-bounds memory access through crafted NSF music files, potentially leading to arbitrary code execution or denial of service. The vulnerability affects all GStreamer 0.10.x versions and requires user interaction to open a malicious NSF file. With an EPSS score of 0.48% (65th percentile) and proof-of-concept exploit code publicly available, this represents a moderate real-world risk for systems processing untrusted media files.

Technical ContextAI

GStreamer is an open-source multimedia framework used extensively in Linux desktop environments for audio/video playback. The vulnerability specifically affects the NSF (NES Sound Format) decoder plugin in GStreamer 0.10.x branch, where improper ROM memory mappings allow buffer boundaries to be exceeded. According to the CPE data, all versions from 0.10.0 through 0.10.9 are affected. The root cause is CWE-125 (Out-of-bounds Read), though the vulnerability can also result in out-of-bounds writes, making it potentially exploitable for code execution beyond just information disclosure.

RemediationAI

Upgrade GStreamer to version 1.x or apply distribution-specific patches as detailed in vendor advisories (Red Hat RHSA-2016-2974, RHSA-2017-0018, Gentoo GLSA-201705-10). Since GStreamer 0.10.x is deprecated, migration to GStreamer 1.x is strongly recommended for long-term security. As a temporary mitigation, disable NSF file format support or implement strict input validation for media files from untrusted sources. Organizations should review the proof-of-concept details at http://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-compromising-linux-desktop.html to understand the attack vector.

Share

CVE-2016-9447 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy