CVE-2016-6164 Ffmpeg CVE debrief

Who should care

Teams that ingest or transcode untrusted media with FFmpeg should care, especially services, desktop apps, media gateways, and embedded products that parse MOV/QuickTime content from external sources.

Technical summary

The vulnerability is a CWE-190 integer overflow in mov_build_index in FFmpeg's libavformat/mov.c. According to the CVE record, the issue is triggered through vectors involving sample size handling in MOV parsing. The published CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating remote exploitation is possible without authentication or user interaction. NVD lists affected FFmpeg releases through 2.8.7, 3.0.2 in the 3.0 branch, and 3.1.0 in the 3.1 branch, with the CVE description also naming fixed releases 2.8.8, 3.0.3, and 3.1.1.

Defensive priority

High. This is an internet-reachable media parsing flaw with critical CVSS severity and no required privileges or interaction. Prioritize any exposed service or application that accepts attacker-controlled MOV content.

Recommended defensive actions

• Update FFmpeg to a fixed release at or above 2.8.8, 3.0.3, or 3.1.1, depending on the branch in use.
• Inventory all applications, services, and embedded products that bundle or link against FFmpeg.
• Treat untrusted media as high risk and limit direct exposure of parsing pipelines to attacker-controlled files.
• Validate that vendor packages or downstream builds include the relevant FFmpeg security fix, not just the upstream version string.
• Use the official FFmpeg security advisory and the linked upstream commit to confirm patch status in your environment.

Evidence notes

Supported by the NVD CVE record and the FFmpeg vendor advisory link referenced in the source corpus. The CVE description names the vulnerable function and fixed versions; NVD classifies the weakness as CWE-190 and publishes the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. No KEV entry is present in the supplied enrichment data.

Official resources