CVE-2016-10191

critical

Published 2017-02-09 · Modified 2026-05-13

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

7.5

VIR risk

9.8

Description

Heap-based buffer overflow in libavformat/rtmppkt.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote attackers to execute arbitrary code by leveraging failure to check for RTMP packet size mismatches.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-10191

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/FFmpeg/FFmpeg/commit/7d57ca4d9a75562fa32e40766211de150f8b3ee7

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://ffmpeg.org/security.html

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://www.openwall.com/lists/oss-security/2017/02/02/1

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://www.openwall.com/lists/oss-security/2017/01/31/12

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`7:3.2.2-1`
debian	bullseye	fixed	`7:3.2.2-1`
debian	forky	fixed	`7:3.2.2-1`
debian	sid	fixed	`7:3.2.2-1`
debian	trixie	fixed	`7:3.2.2-1`

Application impact

Vendor	Product	Versions
ffmpeg	ffmpeg	`{"endIncluding":"2.8.9"}`
ffmpeg	ffmpeg	`3.0`
ffmpeg	ffmpeg	`3.0.1`
ffmpeg	ffmpeg	`3.0.2`
ffmpeg	ffmpeg	`3.0.3`
ffmpeg	ffmpeg	`3.0.4`
ffmpeg	ffmpeg	`3.1`
ffmpeg	ffmpeg	`3.1.1`
ffmpeg	ffmpeg	`3.1.2`
ffmpeg	ffmpeg	`3.1.3`
ffmpeg	ffmpeg	`3.1.4`
ffmpeg	ffmpeg	`3.1.5`
ffmpeg	ffmpeg	`3.2`
ffmpeg	ffmpeg	`3.2.1`

References

CWEs

CWE-119

Verify integrity in audit chain (admin only). AS-IS.