CVE-2016-9446 — Improper Initialization in Gstreamer

CWE-665 — Improper Initialization CWE-456 — Missing Initialization of a Variable12 documents7 sources

Severity

7.5HIGHNVD

EPSS

1.3%

top 20.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gstreamer Fedoraproject Fedora Redhat Enterprise Linux Desktop +5 more

Timeline

PublishedJan 23

Latest updateMay 13

Description

The vmnc decoder in the gstreamer does not initialize the render canvas, which allows remote attackers to obtain sensitive information as demonstrated by thumbnailing a simple 1 frame vmnc movie that does not draw to the allocated render canvas.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDgstreamer/gstreamer< 1.11.1

▶NVDredhat/enterprise_linux_server7.0

▶NVDredhat/enterprise_linux_desktop7.0

▶NVDredhat/enterprise_linux_workstation7.0

Also affects: Fedora 35, Enterprise Linux 7.4, 7.5, 7.6, 7.7

🔴Vulnerability Details

GHSA

GHSA-3xp5-mpvc-wqpw: The vmnc decoder in the gstreamer does not initialize the render canvas, which allows remote attackers to obtain sensitive information as demonstrated↗2022-05-13

▶

CVEList

CVE-2016-9446: The vmnc decoder in the gstreamer does not initialize the render canvas, which allows remote attackers to obtain sensitive information as demonstrated↗2017-01-23

▶

OSV

CVE-2016-9446: The vmnc decoder in the gstreamer does not initialize the render canvas, which allows remote attackers to obtain sensitive information as demonstrated↗2017-01-23

▶

📋Vendor Advisories

Red Hat

gstreamer-plugins-bad-free: Missing initialization of allocated heap memory leads to information leak↗2016-11-15

▶

Debian

CVE-2016-9446: gst-plugins-bad1.0 - The vmnc decoder in the gstreamer does not initialize the render canvas, which a...↗2016

▶

💬Community

Bugzilla

CVE-2016-9446 mingw-gstreamer1: gstreamer: Missing initialization of allocated heap memory leads to information leak [epel-7]↗2016-11-21

▶

Bugzilla

CVE-2016-9446 gstreamer: Missing initialization of allocated heap memory leads to information leak [fedora-all]↗2016-11-21

▶

Bugzilla

CVE-2016-9446 mingw-gstreamer: gstreamer: Missing initialization of allocated heap memory leads to information leak [fedora-all]↗2016-11-21

▶

Bugzilla

CVE-2016-9446 gstreamer1: gstreamer: Missing initialization of allocated heap memory leads to information leak [fedora-all]↗2016-11-21

▶

Bugzilla

CVE-2016-9446 mingw-gstreamer1: gstreamer: Missing initialization of allocated heap memory leads to information leak [fedora-all]↗2016-11-21

▶