CVE-2016-9820 Libav CVE debrief

Who should care

Organizations that ship or embed libav 11.8, especially vendors of media-processing software, Linux distributions, appliance builders, and teams responsible for crash stability in parsers and transcoding pipelines.

Technical summary

The NVD record identifies libav 11.8 as affected and describes the problem as a crash in libavcodec/mpegvideo_motion.c caused by shifting a negative value left. The weakness is categorized as CWE-189. The CVSS v3.0 vector in the record is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating availability impact is the primary concern.

Defensive priority

Medium. Prioritize if libav 11.8 is present in supported products or if media parsing is exposed in high-availability services.

Recommended defensive actions

• Inventory systems and packages that include libav 11.8 or downstream builds derived from it.
• Upgrade to a vendor-supported libav release that includes a fix, or apply the vendor's patched package if available.
• Rebuild and retest media-processing workloads to confirm the crash condition is eliminated.
• Monitor crash logs and sanitizer reports in parsing/transcoding paths for recurrence or related numeric-error defects.
• If you maintain downstream packaging, backport the upstream or distribution fix and document the affected version boundary.

Evidence notes

The NVD record for CVE-2016-9820 states that libav 11.8 is vulnerable and that libavcodec/mpegvideo_motion.c can crash due to a left shift of a negative value. NVD also lists CWE-189 and a CVSS v3.0 score of 5.5. The supplied references include a Gentoo blog advisory titled 'libav multiple crashes from the undefined behavior sanitizer' and a SecurityFocus BID reference.

Official resources