PatchSiren cyber security CVE debrief

CVE-2016-10190 Ffmpeg CVE debrief

CVE-2016-10190 is a critical memory corruption issue in FFmpeg's HTTP handling code. According to NVD, a remote web server can trigger a heap-based buffer overflow in libavformat/http.c by sending a negative chunk size in an HTTP response. The issue was publicly disclosed on 2017-02-09, with vendor and mailing-list references indicating patch and advisory activity around that time.

Vendor: Ffmpeg
Product: CVE-2016-10190
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-09
Original CVE updated: 2026-05-13
Advisory published: 2017-02-09
Advisory updated: 2026-05-13

Who should care

Organizations and developers that use FFmpeg to fetch or process remote HTTP content should treat this as urgent, especially if FFmpeg is embedded in media services, transcoders, streaming platforms, clients, or other network-facing systems.

Technical summary

NVD describes the flaw as a heap-based buffer overflow in libavformat/http.c, classified as CWE-119. The attack vector is network-based with no privileges or user interaction required, and the CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. A malicious HTTP response containing a negative chunk size can cause out-of-bounds heap behavior, creating a path to code execution or crash conditions.

Defensive priority

Critical. The combination of remote reachability, no authentication, no user interaction, and a high-impact memory corruption primitive makes this a high-priority patching item for any environment that processes untrusted HTTP responses with affected FFmpeg versions.

Recommended defensive actions

Upgrade FFmpeg to a fixed release: 2.8.10, 3.0.5, 3.1.6, 3.2.2, or later.
Inventory applications and appliances that bundle FFmpeg, because downstream packaging may lag behind upstream fixes.
Check whether your deployment fetches media or manifests from untrusted or externally controlled HTTP sources.
Apply vendor backports or security updates if you cannot move immediately to a fixed upstream version.
Validate that any security scanning or SBOM process tracks embedded FFmpeg components, not just standalone packages.
Monitor vendor advisories and changelogs for the specific FFmpeg build you deploy.

Evidence notes

The debrief is based on the NVD CVE record, the FFmpeg security advisory reference, and the linked OSS-security and GitHub commit references provided in the source corpus. The supplied NVD entry identifies the vulnerability as a heap-based buffer overflow in libavformat/http.c, assigns CWE-119, and lists affected FFmpeg version ranges ending at 2.8.9, 3.0.4, 3.1.5, and 3.2.1. The record also includes the FFmpeg security page, a fix commit, and related mailing-list and ticket references as corroborating sources.

Official resources

CVE-2016-10190 CVE record
CVE.org
CVE-2016-10190 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed on 2017-02-09. The supplied timeline also shows NVD modification on 2026-05-13, which should be treated as a record update date, not the vulnerability date.