CVE-2016-7477 Libav CVE debrief

Who should care

Organizations that run Libav 11.7 directly or via bundled software should care, especially teams responsible for media ingestion, transcoding, or any service that processes untrusted MP3 files. Security and platform teams should also review downstream products that embed Libav.

Technical summary

The vulnerable code path is ff_put_pixels8_xy2_mmx in rnd_template.c, as recorded for Libav 11.7. Processing a crafted MP3 file can cause invalid memory access and a crash, which is classified by NVD under CWE-476. The NVD CVSS vector indicates an availability impact with user interaction required.

Defensive priority

Medium. The record points to a crash/denial-of-service condition rather than code execution, but the issue affects media parsing and can take down applications that accept untrusted MP3 input.

Recommended defensive actions

• Inventory any systems, applications, or appliances that use Libav 11.7 or a bundled copy of Libav.
• Upgrade away from the affected Libav 11.7 release to a patched release provided by your vendor or distribution.
• Restrict or sandbox processing of untrusted MP3 files until the affected component is updated.
• Add monitoring for crashes or abnormal termination in media-processing services.
• Check for transitive dependencies so embedded copies of Libav are not missed during remediation.

Evidence notes

The CVE was published on 2017-02-15, and the NVD record was modified on 2026-05-13; those dates are record metadata, not the original vulnerability discovery date. The supplied references include an oss-security mailing list thread, a SecurityFocus BID entry, and a Gentoo blog advisory dated 2016-09-20/21. NVD lists one vulnerable CPE: cpe:2.3:a:libav:libav:11.7:*:*:*:*:*:*:*.

Official resources