CVE-2016-5115 Libavformat Project CVE debrief

Who should care

Administrators and developers responsible for MPlayer deployments, systems embedding libavformat/libavcodec, and any service that automatically processes untrusted MP3 files should care most.

Technical summary

The vulnerability is described as an out-of-bounds read in avcodec_decode_audio4, with the affected CPE matching libavformat 57.34.103. The likely impact is denial of service when a crafted MP3 is parsed. NVD records the weakness as CWE-125 and assigns CVSS 3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, so user interaction is required in the NVD scoring model.

Defensive priority

Medium. Prioritize if your environment opens attacker-supplied audio files or runs media parsing in a high-availability service.

Recommended defensive actions

• Confirm whether any deployed package maps to the affected libavformat 57.34.103 CPE and update to a fixed build or vendor-backported package.
• Review MPlayer and any libavcodec/libavformat-based workflows that accept untrusted MP3 input, and isolate or sandbox them where possible.
• Limit automatic processing of user-supplied media files until patch status is verified.
• Use the Openwall and MPlayer tracker references to validate whether your distribution has already backported a fix.

Evidence notes

The CVE record and NVD detail both identify the issue as CVE-2016-5115. NVD lists the vulnerable CPE as cpe:2.3:a:libavformat_project:libavformat:57.34.103:*:*:*:*:*:*:*, maps the weakness to CWE-125, and records CVSS 3.0 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. MITRE/NVD references an Openwall oss-security thread and MPlayer ticket 2298 as source material.

Official resources