How to fix CVE-2016-9447?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Monitor vendor channels for patch availability.

Is Gstreamer affected by CVE-2016-9447?

CVE-2016-9447 presents notable security risk, a out-of-bounds read vulnerability rated CVSS 7.8. Exploitation could compromise the security of affected deployments. Organizations should apply vendor updates when available and consider compensating controls in the interim.

CVE-2016-9447

HIGH

2017-01-23 [email protected]

7.8

CVSS 3.0

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

CVE Published

Jan 23, 2017 - 21:59 nvd

HIGH 7.8

Description

The ROM mappings in the NSF decoder in gstreamer 0.10.x allow remote attackers to cause a denial of service (out-of-bounds read or write) and possibly execute arbitrary code via a crafted NSF music file.

Analysis

A vulnerability in the ROM mappings of the NSF decoder in GStreamer 0.10.x allows remote attackers to trigger out-of-bounds memory access through crafted NSF music files, potentially leading to arbitrary code execution or denial of service. The vulnerability affects all GStreamer 0.10.x versions and requires user interaction to open a malicious NSF file. With an EPSS score of 0.48% (65th percentile) and proof-of-concept exploit code publicly available, this represents a moderate real-world risk for systems processing untrusted media files.

Technical Context

GStreamer is an open-source multimedia framework used extensively in Linux desktop environments for audio/video playback. The vulnerability specifically affects the NSF (NES Sound Format) decoder plugin in GStreamer 0.10.x branch, where improper ROM memory mappings allow buffer boundaries to be exceeded. According to the CPE data, all versions from 0.10.0 through 0.10.9 are affected. The root cause is CWE-125 (Out-of-bounds Read), though the vulnerability can also result in out-of-bounds writes, making it potentially exploitable for code execution beyond just information disclosure.

Affected Products

All GStreamer 0.10.x versions are affected, specifically versions 0.10.0 through 0.10.9 as confirmed by CPE entries (cpe:2.3:a:gstreamer:gstreamer:0.10.*). Multiple Linux distributions have issued security advisories, including Red Hat (RHSA-2016-2974 and RHSA-2017-0018) and Gentoo (GLSA-201705-10). The vulnerability was reported by [email protected] and affects any application or system using the vulnerable GStreamer library for media playback.

Remediation

Upgrade GStreamer to version 1.x or apply distribution-specific patches as detailed in vendor advisories (Red Hat RHSA-2016-2974, RHSA-2017-0018, Gentoo GLSA-201705-10). Since GStreamer 0.10.x is deprecated, migration to GStreamer 1.x is strongly recommended for long-term security. As a temporary mitigation, disable NSF file format support or implement strict input validation for media files from untrusted sources. Organizations should review the proof-of-concept details at http://scarybeastsecurity.blogspot.de/2016/11/0day-exploit-compromising-linux-desktop.html to understand the attack vector.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.5

CVSS: +39

POC: 0

CVE-2016-9447 vulnerability details – vuln.today

Back

CVE-2016-9447

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2016-9447

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code