CVE-2016-9822 Libav CVE debrief

Who should care

Organizations and teams that still run libav 11.8 or package it into media-processing workflows should care, especially if they accept untrusted or externally supplied files. This is most relevant for systems that automatically parse media content, desktop applications that open user-provided files, and distribution maintainers tracking security fixes.

Technical summary

The vulnerability is an integer overflow in libavcodec/mpeg12dec.c, specifically in the MPEG-1/2 decoder path. According to the CVE record, a crafted file can trigger a crash, resulting in denial of service. The NVD entry maps the issue to CWE-190 and reports CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, which emphasizes availability impact and user interaction.

Defensive priority

Medium. The issue is primarily an availability risk, but it can still disrupt applications or services that process untrusted media files.

Recommended defensive actions

• Upgrade libav to a version that includes the vendor or distribution fix, if available.
• Apply security updates from your operating system or distribution maintainer, such as the referenced Debian advisory.
• Restrict or isolate processing of untrusted media files where practical.
• Monitor applications that use libav for unexpected crashes or decoder failures.
• Review any software inventory for libav 11.8 exposure and retire unsupported builds.

Evidence notes

This debrief is based on the CVE record, NVD detail page, and the referenced advisories. The CVE description states an integer overflow in libavcodec/mpeg12dec.c in libav 11.8 that can cause a crash via a crafted file. NVD lists CWE-190 and CVSS 3.0 5.5 Medium. Referenced supporting sources include Debian DSA-3833, SecurityFocus BID 94732, and a Gentoo blog advisory about libav crashes.

Official resources