CVE-2016-7499 Libav CVE debrief

Who should care

Organizations and products that ship or embed Libav 11.7, especially if they accept untrusted MP3 files or other user-supplied audio content. Desktop apps, media processors, and services that decode audio from external sources should prioritize review if they depend on this version.

Technical summary

NVD maps this issue to CWE-369 and lists the vulnerable product as libav:libav 11.7. The referenced crash occurs in sbr_make_f_master in libavcodec/aacsbr.c and is triggered by a crafted MP3 file. The NVD CVSS vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating availability impact from user-assisted input processing.

Defensive priority

Medium priority. This is a denial-of-service flaw rather than a code-execution issue, but it can still be operationally relevant anywhere Libav processes untrusted audio content. Treat it as higher priority if the affected build is exposed to frequent external media intake.

Recommended defensive actions

• Identify systems, applications, and embedded components using Libav 11.7.
• Check whether any products process user-controlled MP3 files or other untrusted audio.
• Apply the vendor patch or upgrade to a fixed Libav release if available in your dependency chain.
• If patching is delayed, reduce exposure by restricting untrusted file intake and isolating media-processing workflows.
• Verify that downstream forks or vendored copies of aacsbr.c include the corrective changes referenced in the linked patch.
• Add regression coverage for malformed MP3 inputs in media-decoding test suites.

Evidence notes

The primary vulnerability description comes from the supplied NVD record and its linked references. Supporting references include the oss-security mailing list post, a Gentoo security blog entry noting the divide-by-zero in sbr_make_f_master, and the Libav git diff reference for aacsbr.c. NVD also lists CWE-369 and the vulnerable CPE for Libav 11.7.

Official resources