PatchSiren cyber security CVE debrief

CVE-2016-9825 Libav CVE debrief

CVE-2016-9825 is a denial-of-service issue in libav 11.8’s libswscale/utils.c caused by undefined behavior when a negative value is left-shifted. The NVD record assigns a medium CVSS 3.0 score (5.5) and rates the impact as availability-only, with no confidentiality or integrity impact. This is primarily a stability risk for systems that process untrusted or externally supplied media through libav.

Vendor: Libav
Product: CVE-2016-9825
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-01
Original CVE updated: 2026-05-13
Advisory published: 2017-03-01
Advisory updated: 2026-05-13

Who should care

Teams operating applications, appliances, or pipelines that use libav 11.8 for media processing should care most, especially if they accept user-supplied or remotely sourced content. Security and operations teams should also review any embedded products that bundle libav without clear upgrade paths.

Technical summary

NVD identifies the vulnerable component as libswscale/utils.c in libav 11.8 and maps the weakness to CWE-189 (numeric error). The issue is triggered by left shifting a negative value, which is undefined behavior and can lead to a crash. The NVD CVSS vector is CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating a user-interaction-dependent availability impact.

Defensive priority

Medium. Prioritize remediation for internet-facing, user-facing, or automated media-processing services that can be fed untrusted content, because a crash can interrupt service even when the impact is limited to availability.

Recommended defensive actions

Inventory systems that include libav 11.8 or downstream packages that vendor it.
Check for vendor or distribution updates that replace the vulnerable libav build.
If immediate patching is not possible, restrict exposure to untrusted media and limit who can submit or influence media inputs.
Monitor for crashes in libswscale-related code paths and treat repeated failures as a sign to accelerate remediation.
Validate whether any bundled firmware or appliance images include the affected version and need a coordinated update.

Evidence notes

The supplied NVD record states that libswscale/utils.c in libav 11.8 allows denial of service via left shift of a negative value, with CWE-189 as the mapped weakness. The record also provides the CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The supplied references include an NVD detail page, a CVE.org record, a SecurityFocus BID reference, and a Gentoo blog advisory about multiple crashes from the undefined behavior sanitizer. Note that the prose description says remote attackers, while the CVSS vector indicates local attack conditions with required user interaction; this should be treated as a source-level characterization difference rather than expanded beyond the provided data.

Official resources

CVE-2016-9825 CVE record
CVE.org
CVE-2016-9825 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory

CVE published by NVD on 2017-03-01 and last modified on 2026-05-13, per the supplied timeline.