CVE-2016-10191: Buffer Overflow
First published: Thu Feb 09 2017(Updated: )
Heap-based buffer overflow in libavformat/rtmppkt.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote attackers to execute arbitrary code by leveraging failure to check for RTMP packet size mismatches.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| FFmpeg | <=2.8.9 | |
| FFmpeg | =3.0 | |
| FFmpeg | =3.0.1 | |
| FFmpeg | =3.0.2 | |
| FFmpeg | =3.0.3 | |
| FFmpeg | =3.0.4 | |
| FFmpeg | =3.1 | |
| FFmpeg | =3.1.1 | |
| FFmpeg | =3.1.2 | |
| FFmpeg | =3.1.3 | |
| FFmpeg | =3.1.4 | |
| FFmpeg | =3.1.5 | |
| FFmpeg | =3.2 | |
| FFmpeg | =3.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2017/01/31/12
- http://www.openwall.com/lists/oss-security/2017/02/02/1
- http://www.securityfocus.com/bid/95989
- https://ffmpeg.org/security.html
- https://github.com/FFmpeg/FFmpeg/commit/7d57ca4d9a75562fa32e40766211de150f8b3ee7
- https://lists.debian.org/debian-lts-announce/2018/12/msg00009.html
Frequently Asked Questions
What is the severity of CVE-2016-10191?
CVE-2016-10191 is classified as a critical vulnerability due to the potential for remote code execution.
How do I fix CVE-2016-10191?
To fix CVE-2016-10191, upgrade to FFmpeg version 2.8.10 or later, or 3.0.5 or later, 3.1.6 or later, or 3.2.2 or later.
What does CVE-2016-10191 affect?
CVE-2016-10191 affects multiple versions of FFmpeg, specifically all versions prior to 2.8.10, 3.0.5, 3.1.6, and 3.2.2.
How does CVE-2016-10191 impact my system?
CVE-2016-10191 can allow remote attackers to execute arbitrary code on affected systems by exploiting the heap-based buffer overflow.
Is CVE-2016-10191 exploitable over the network?
Yes, CVE-2016-10191 is exploitable remotely, making it particularly dangerous for systems exposed to untrusted networks.
- agent/references
- agent/type
- agent/remedy
- agent/weakness
- agent/severity
- agent/author
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/ffmpeg
- canonical/ffmpeg
- version/ffmpeg/2.8.9
- version/ffmpeg/3.0
- version/ffmpeg/3.0.1
- version/ffmpeg/3.0.2
- version/ffmpeg/3.0.3
- version/ffmpeg/3.0.4
- version/ffmpeg/3.1
- version/ffmpeg/3.1.1
- version/ffmpeg/3.1.2
- version/ffmpeg/3.1.3
- version/ffmpeg/3.1.4
- version/ffmpeg/3.1.5
- version/ffmpeg/3.2
- version/ffmpeg/3.2.1