CVE-2016-9961 – CVE-2016-9961 is an integer handling vulnerabil... (How to Fix)

Q: What is the severity of CVE-2016-9961?

CVE-2016-9961 has a CVSS score of 9.8 (CRITICAL). CVE-2016-9961 is an integer handling vulnerability in game-music-emu library versions before 0.6.1 that can lead to memory corruption. Attackers can exploit this to execute arbitrary code or cause denial of service. Systems using vulnerable versions of game-music-emu for audio processing are affected.

📋 TL;DR

CVE-2016-9961 is an integer handling vulnerability in game-music-emu library versions before 0.6.1 that can lead to memory corruption. Attackers can exploit this to execute arbitrary code or cause denial of service. Systems using vulnerable versions of game-music-emu for audio processing are affected.

💻 Affected Systems

Products:

game-music-emu library
Applications using game-music-emu for audio processing

Versions: All versions before 0.6.1

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Any application that uses game-music-emu library to process audio files is vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attacker to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Application crash leading to denial of service, potentially disrupting audio processing functionality.

🟢

If Mitigated

Limited impact with proper memory protection mechanisms and exploit mitigations in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept code exists in security advisories. Exploitation requires processing malicious audio files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.6.1 and later

Vendor Advisory: https://bitbucket.org/mpyne/game-music-emu/wiki/Home

Restart Required: Yes

Instructions:

1. Download game-music-emu 0.6.1 or later from official repository. 2. Compile and install the updated library. 3. Rebuild any applications that link against game-music-emu. 4. Restart affected services.

🔧 Temporary Workarounds

Disable audio file processing

all

Temporarily disable processing of audio files that use game-music-emu library

Use application sandboxing

linux

Run applications using game-music-emu in restricted environments

firejail --net=none --private /path/to/application

🧯 If You Can't Patch

Implement strict input validation for audio files
Use memory protection mechanisms like ASLR and DEP

🔍 How to Verify

Check if Vulnerable:

Check game-music-emu library version: dpkg -l | grep game-music-emu or rpm -qa | grep game-music-emu

Check Version:

pkg-config --modversion game-music-emu

Verify Fix Applied:

Verify installed version is 0.6.1 or later: game-music-emu --version or check package manager

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Memory access violation errors
Unexpected process termination

Network Indicators:

Unusual network connections from audio processing applications
Outbound connections following audio file processing

SIEM Query:

process_name:game-music-emu AND (event_type:crash OR exit_code:139)

📊 Metadata

CVE ID: CVE-2016-9961

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-189

Published: June 6, 2017

Last Updated: April 20, 2025

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00090.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00005.html Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/12/15/11 Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/95305 Third Party Advisory,VDB Entry
https://bitbucket.org/mpyne/game-music-emu/wiki/Home Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1405423 Issue Tracking,Third Party Advisory,VDB Entry
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6LKMKVYS7AVB2EXC463FUYN6C6FABHME/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7Z2OVERYM6NW3FGVGTJUNSL5ZNFSH2S/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GGHAQI5Q2XDSPGRRKPJJM3A73VWAFSFL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFKIFSFIDXOKFUKAH2MBNXDTY6DYBF6/
https://scarybeastsecurity.blogspot.cz/2016/12/redux-compromising-linux-using-snes.html Exploit,Technical Description,Third Party Advisory
https://security.gentoo.org/glsa/201707-02
http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00090.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00005.html Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/12/15/11 Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/95305 Third Party Advisory,VDB Entry
https://bitbucket.org/mpyne/game-music-emu/wiki/Home Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1405423 Issue Tracking,Third Party Advisory,VDB Entry
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6LKMKVYS7AVB2EXC463FUYN6C6FABHME/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7Z2OVERYM6NW3FGVGTJUNSL5ZNFSH2S/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GGHAQI5Q2XDSPGRRKPJJM3A73VWAFSFL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QHFKIFSFIDXOKFUKAH2MBNXDTY6DYBF6/
https://scarybeastsecurity.blogspot.cz/2016/12/redux-compromising-linux-using-snes.html Exploit,Technical Description,Third Party Advisory
https://security.gentoo.org/glsa/201707-02

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-9961, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fedora by Fedoraproject

Fedora by Fedoraproject

Game Music Emu by Game Music Emu Project

Leap by Opensuse

Leap by Opensuse Project

Suse Linux Enterprise Desktop by Novell

Suse Linux Enterprise Desktop by Novell

Suse Linux Enterprise Server by Novell

Suse Linux Enterprise Server by Novell

Suse Linux Enterprise Server by Novell

Suse Linux Enterprise Software Development Kit by Novell

Suse Linux Enterprise Software Development Kit by Novell

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable audio file processing

Use application sandboxing

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities