PatchSiren cyber security CVE debrief

CVE-2016-7393 Libav CVE debrief

CVE-2016-7393 is a media-parsing flaw in Libav’s AAC handling that can be triggered by a crafted file. The issue is described as a stack-based buffer overflow in aac_sync, and the published impact is denial of service through an out-of-bounds read. NVD lists Libav versions through 11.4 as vulnerable.

Vendor: Libav
Product: CVE-2016-7393
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-15
Original CVE updated: 2026-05-13
Advisory published: 2017-02-15
Advisory updated: 2026-05-13

Who should care

Teams that build, package, or embed Libav; maintainers of media-processing services; and any application that accepts untrusted audio files and relies on Libav for parsing.

Technical summary

The vulnerable code path is aac_sync in aac_parser.c. According to the supplied record, a crafted file can drive a stack-based buffer overflow leading to an out-of-bounds read and service disruption. NVD maps the weakness to CWE-125 and marks the affected range as Libav up to and including 11.4, corresponding to the description of "before 11.5." The NVD CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating user interaction is required and availability impact is high.

Defensive priority

Medium. This is a denial-of-service issue rather than a code-execution advisory in the supplied record, but it affects untrusted-file parsing paths that are often externally reachable through normal workflows.

Recommended defensive actions

Upgrade Libav to a version later than 11.4; the supplied advisory scope says the issue is fixed in 11.5 or later.
If upgrading is not immediately possible, restrict or sandbox processing of untrusted audio files that may be parsed by Libav.
Apply least-privilege and isolation controls around media conversion or ingestion services so a crash is contained.
Monitor for crashes or abnormal termination in AAC parsing paths and treat crafted-file handling as a security-sensitive input path.
For packaged distributions, verify downstream backports or vendor patches rather than relying only on upstream version labels.

Evidence notes

The record states: "Stack-based buffer overflow in the aac_sync function in aac_parser.c in Libav before 11.5 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file." NVD also lists the weakness as CWE-125 and the vulnerable CPE range through version 11.4. Advisory/reference links in the supplied corpus include a Gentoo security blog write-up, an oss-security mailing list post, and a Libav git commit reference. The NVD CVSS vector supplied with the record is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.

Official resources

CVE-2016-7393 CVE record
CVE.org
CVE-2016-7393 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Patch, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory, VDB Entry
Source reference
[email protected]

Publicly referenced in 2016 advisories and patch discussions; the CVE record was published on 2017-02-15 and last modified on 2026-05-13.