Multiple use-after-free vulnerabilities in the (1) gstminiobjectunref, (2) gsttaglistunref, and (3) gstmxfdemuxupdateessence_tracks functions in GStreamer before 1.10.3 allow remote attackers to cause a denial of service (crash) via vectors involving stream tags, as demonstrated by 02785736.mxf.