CVE-2016-10192
CRITICALFFmpeg < 2.8.10, 3.0.x < 3.0.5, 3.1.x < 3.1.6, 3.2.x < 3.2.2 - Remote Code Execution via Chunk Size Mismatch
Title source: llmDescription
Heap-based buffer overflow in ffserver.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote attackers to execute arbitrary code by leveraging failure to check chunk size.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/95991
Patch x_refsource_confirm
https://github.com/FFmpeg/FFmpeg/commit/a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2017/01/31/12
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2017/02/02/1
Release Notes, Vendor Advisory x_refsource_confirm
https://ffmpeg.org/security.html
Scores
CVSS v3
9.8
EPSS
0.0484
EPSS Percentile
89.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-119
Status
published
Products (14)
ffmpeg/ffmpeg
3.0
ffmpeg/ffmpeg
3.0.1
ffmpeg/ffmpeg
3.0.2
ffmpeg/ffmpeg
3.0.3
ffmpeg/ffmpeg
3.0.4
ffmpeg/ffmpeg
3.1
ffmpeg/ffmpeg
3.1.1
ffmpeg/ffmpeg
3.1.2
ffmpeg/ffmpeg
3.1.3
ffmpeg/ffmpeg
3.1.4
... and 4 more
Published
Feb 09, 2017
Tracked Since
Feb 18, 2026