CVE-2016-8675 Libav CVE debrief

Who should care

Teams running Libav-based media ingestion, transcoders, previewers, or any service that parses untrusted audio/video files should care most, especially if users can upload or otherwise supply media content.

Technical summary

The flaw is a NULL pointer dereference in get_vlc2 within get_bits.h. The referenced reports tie the crash to crafted MP3 input and note it may be related to startcode sequences during M4V detection. NVD maps the weakness to CWE-476 and scores the issue as AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.

Defensive priority

Medium. Prioritize remediation anywhere Libav processes untrusted media, because a simple parser crash can interrupt services or automation pipelines.

Recommended defensive actions

• Upgrade Libav to 11.9 or later, or move to a supported release that contains the fix.
• Restrict or sandbox media parsing services that accept user-controlled files.
• Treat unknown or externally supplied MP3/M4V content as untrusted input and validate it at the application boundary.
• Monitor for repeated parser crashes in media-processing workflows and investigate malformed-file handling.
• If upgrading is delayed, reduce exposure by disabling unnecessary file ingestion paths that invoke Libav on untrusted content.

Evidence notes

This debrief is based on the supplied NVD record and its linked references: a Gentoo security blog post, an oss-security mailing list thread, and the Libav GitHub fix commit. The NVD record states the affected range ends at 11.8 and classifies the impact as availability-only. No KEV listing was provided in the corpus.

Official resources