CVE-2016-6832 Libav CVE debrief

Who should care

Teams running libav 11.3 or earlier, package maintainers, and operators whose deployments still include libav’s audio resampling code paths.

Technical summary

The vulnerability is a heap-based buffer overflow in ff_audio_resample within resample.c. NVD lists the affected CPE range as libav versions up to and including 11.3, with the fix referenced by a libav git commit and a bug tracker entry. The impact described in the record is availability-only: a crash/denial of service. The NVD description and CVSS vector do not fully align on attack conditions, so the most reliable operational takeaway is that pre-11.4 libav builds should be considered vulnerable until patched or replaced.

Defensive priority

Medium priority. Upgrade or backport the fix promptly if libav remains deployed, especially on systems that still process audio content through libav.

Recommended defensive actions

• Inventory all libav deployments and confirm whether any instance is at version 11.3 or earlier.
• Upgrade to libav 11.4 or a vendor build that includes the referenced fix commit.
• If immediate upgrade is not possible, backport the patch from the referenced libav commit into your packaged build.
• Review any workflows that reach ff_audio_resample and confirm patched binaries are the only versions available in production.
• Validate remediation by checking installed package versions and, where applicable, changelogs or backported patch metadata.

Evidence notes

The NVD record for CVE-2016-6832 identifies a heap-based buffer overflow in ff_audio_resample in resample.c, affecting libav through 11.3, with CWE-119 and a CVSS 5.5 score. The supplied references include August 2016 advisory/mailing-list entries, a Gentoo blog advisory, a libav bug tracker entry, and the fix commit. The record’s description says remote attackers can trigger a crash, while the CVSS vector says AV:L/UI:R; that discrepancy is present in the source corpus and should be noted when assessing exposure.

Official resources