PatchSiren cyber security CVE debrief

CVE-2016-10191 Ffmpeg CVE debrief

CVE-2016-10191 is a critical memory-safety flaw in FFmpeg’s RTMP packet handling. The issue is a heap-based buffer overflow in libavformat/rtmppkt.c caused by failure to check RTMP packet size mismatches. In vulnerable FFmpeg releases, a remote attacker could trigger the flaw through specially crafted input and potentially execute arbitrary code. NVD lists affected branches as FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2.

Vendor: Ffmpeg
Product: CVE-2016-10191
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-09
Original CVE updated: 2026-05-13
Advisory published: 2017-02-09
Advisory updated: 2026-05-13

Who should care

Administrators, application owners, and distributors that ship or embed FFmpeg/libavformat and accept untrusted media or RTMP input should treat this as high priority. This is especially relevant for streaming services, media gateways, converters, and any software that processes externally supplied content using affected FFmpeg versions.

Technical summary

NVD describes the weakness as a heap-based buffer overflow in libavformat/rtmppkt.c, categorized under CWE-119. The root cause is a failure to validate RTMP packet size mismatches, which can lead to out-of-bounds heap writes during packet processing. The NVD CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting remote, unauthenticated exploitation with potentially severe confidentiality, integrity, and availability impact.

Defensive priority

Critical. Because the flaw is remotely reachable, unauthenticated, and tied to a widely used media library, vulnerable deployments should be prioritized for immediate patching or version replacement.

Recommended defensive actions

Upgrade FFmpeg to a fixed release: 2.8.10 or later, 3.0.5 or later, 3.1.6 or later, or 3.2.2 or later, depending on the branch in use.
Inventory all products and services that bundle FFmpeg or libavformat, including transitive dependencies in media pipelines and streaming stacks.
Treat systems that process untrusted RTMP traffic or external media as highest priority for remediation.
Verify whether your Linux distribution or vendor has backported the fix before assuming a package version is safe.
Confirm exposure by checking installed package versions and any application-specific FFmpeg builds against the affected version ranges listed by NVD.
Review vendor and upstream security advisories for deployment-specific guidance and patch availability.

Evidence notes

This debrief is based on the official NVD record for CVE-2016-10191 and the referenced FFmpeg and CVE links supplied in the corpus. The CVE was published on 2017-02-09T15:59:00.723Z; later modified timestamps in the record reflect metadata updates, not the original issue date. NVD identifies the flaw as a heap-based buffer overflow in libavformat/rtmppkt.c, with CVSS v3.0 9.8 and CWE-119. The corpus does not include evidence that this CVE is in CISA KEV.

Official resources

CVE-2016-10191 CVE record
CVE.org
CVE-2016-10191 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
Mitigation or vendor reference
[email protected] - Patch
Source reference
[email protected]

Official records in the corpus show the CVE published on 2017-02-09, with upstream patch and advisory references already present in NVD. The later modified date in 2026 is record metadata and should not be read as the vulnerability’s first/