CVE-2016-10192 Ffmpeg CVE debrief

Who should care

Anyone running FFmpeg deployments that include or expose the FFserver code path, especially legacy servers, downstream packages, and products that embed FFmpeg components. Security teams should also check for vendor backports and statically linked copies in appliances or applications.

Technical summary

The vulnerability is a heap-based buffer overflow in ffserver.c caused by failing to check chunk size. NVD maps it to CWE-119 and assigns CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable flaw that can affect confidentiality, integrity, and availability. The affected version ranges listed in the record are FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2.

Defensive priority

Immediate

Recommended defensive actions

• Upgrade FFmpeg to a fixed release: 2.8.10 or later, 3.0.5 or later, 3.1.6 or later, or 3.2.2 or later, depending on the major line in use.
• If FFserver is not needed, disable or remove it to eliminate exposure of the vulnerable code path.
• Check downstream vendor packages and backports to confirm the fix is actually included in your build.
• Inventory embedded, statically linked, and appliance copies of FFmpeg that may not be covered by standard package updates.
• Restrict network exposure of any FFserver deployment while remediation is in progress.
• Use the FFmpeg security advisory and linked patch references to validate the remedied build version or commit lineage.

Evidence notes

The debrief is based on the supplied CVE description and the official NVD record. The NVD metadata lists CWE-119 and CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and its reference set includes the FFmpeg security page, two oss-security mailing list threads, and a GitHub patch commit. Version ranges are taken from the provided CVE data.

Official resources