CVE-2016-10190
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2016-10190
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-10190.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2016-10190
- Downstream
- Related
- Published
- 2017-02-09T15:59:00.627Z
- Modified
- 2025-11-14T04:32:52.717910Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Heap-based buffer overflow in libavformat/http.c in FFmpeg before 2.8.10, 3.0.x before 3.0.5, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 allows remote web servers to execute arbitrary code via a negative chunk size in an HTTP response.
- References
-
- http://www.securityfocus.com/bid/95986
- https://lists.debian.org/debian-lts-announce/2018/12/msg00009.html
- https://trac.ffmpeg.org/ticket/5992
- http://www.openwall.com/lists/oss-security/2017/01/31/12
- http://www.openwall.com/lists/oss-security/2017/02/02/1
- https://ffmpeg.org/security.html
- https://github.com/FFmpeg/FFmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa
Affected packages
Git / git.ffmpeg.org/ffmpeg.git
Git / github.com/ffmpeg/ffmpeg
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ffmpeg/ffmpeg
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
N
n0.*
n0.11-dev
n0.12-dev
n0.8
n1.*
n1.1-dev
n1.2-dev
n1.3-dev
n2.*
n2.0
n2.1-dev
n2.2-dev
n2.3-dev
n2.4-dev
n2.5-dev
n2.6-dev
n2.7-dev
n2.8-dev
n2.9-dev
n3.*
n3.1-dev
n3.2-dev
n3.3-dev
Database specific
vanir_signatures
[
{
"digest": {
"line_hashes": [
"195999663670395503853889201858602138339",
"337394873705817049612632853846211991246",
"281429762653280480764985616040684003074",
"181135591961178219334965079780398465644",
"301977385217758711588590238081694807191",
"4332534641764958029126003953881495642",
"78488409577540362127201842823735556550",
"294245872781092961482345009691324773866",
"50172627417254511126384020568043869421",
"112650500083297809555288309914964668779",
"30056712349516425312493654165939340259",
"298249970838642601123972583878986451394",
"176407889866597877503055189876499418998",
"193744821904088677257446971802230192422",
"167936627276812967465598665592130335165",
"149057470804409335808502586868429057327",
"314912851706149201516506787973960357799",
"147173598555519645520579805310458146800",
"29087375443321685771228653565552823132",
"338133686815687239574396247767484144980",
"242586206816867182635535439722785464192",
"63274841844650378289363788216436177961",
"69695398128977857204627250329512846761",
"159877063323603233213517554618491457080",
"148746741395448115673262940748286112383",
"215135803124320082263730838657324867399",
"304785617176626286438417500308733431081",
"104683594907378898032347369266827696254",
"210609334766725791740571382647031557290",
"336025561921878649109859305752516240059",
"193335780054135415349016455931345387834",
"5200210177290942409173405905234360868",
"58041336525576138683760382081305512420",
"176236939584381875316021462629521047469",
"94212220667250397537912484595720679606",
"307694002484925509855511584325910580472",
"145103461001093881257625819130696065017",
"230610564455100988109910632330191728421",
"70125292451460020843285881429093326179",
"153598065943465698668267997740394593054",
"268593430374134125250196730081209385195",
"293868026800181583571677458898190406017",
"88295059203012252592394965214548395627",
"105093005580092505988693877616976967979",
"86007042803940118800028476800584149559",
"311880476248326962136008921758625687463",
"338764777561368621476221375386326476238",
"47664005056104378332100527446338762935",
"44611751549552516955042496857640975595",
"107463033404543910575729349428633843257",
"43715430391330689511422764253024813728",
"49146989014158618782354245167122525313",
"324626250988046984580502223692664343191",
"68110331019358658271543741634753719589",
"257630673840875065656696176013196471051",
"330174377874492950428532523797563114320",
"184571769670058717495637840659386306545",
"72037359362049757401143768323280573478",
"261418715895457626359130608669225281735",
"191710336257866828202651790587640462656",
"266561053794300878391607306269928875736",
"71695166541645273191353008378911185674",
"160044126434007948026797462302852327725",
"208035063315291775027148960437059197391",
"74446269432642678552563105823143251367",
"76111632104629555969923027847174221838",
"121801329192032031979805864317813189823",
"169656543150414343351800221982084571677",
"275579883180837985032567593021986275590",
"214330101327163149036806779438415064661",
"95847572856940569416720961064551929955",
"257358118154356826154560378835377248593",
"72071214125283239948482876234408555385",
"301979849324286532993733565032331804118",
"186079235504122307468672380495855990691",
"141803169938265716261785770250791107490",
"12230199056265414075302853110896926046",
"48300616660767152834298710993760025847",
"2828056941259794508615439231571091318",
"3967397339702129711626534087308805389",
"49414725480161860793357595366995394760",
"98126838883829452946687614567867936231",
"293945222104089173824526833737138028955",
"108374270174840899325385671156632327395",
"196634904955693853372131665235786018387",
"26815514573349448131419393817877586727",
"300054146929949682389009299887678074309",
"111314383662916087408744711679758884830",
"175794948142823669334687464441360552413",
"33726988287170670072613719082076087265",
"13811679111082197512425596512372468787",
"68262581337783293796152438586751386088",
"293118137688244615364615398507471217242",
"263405096623595840524318800257381257853",
"294291539822903816170014810798224938706",
"136957136615083739787700046919468007988",
"219730309520283490880425513840675405698",
"204739233458432632821450147658324888399",
"169317966908470365298673360861576515443",
"77667814784786339654793077996442539596",
"221382695690763806654900884331706904610",
"153240225503016989958213145739932616551",
"86387841214565110119566692317248873878"
],
"threshold": 0.9
},
"target": {
"file": "libavformat/http.c"
},
"signature_type": "Line",
"id": "CVE-2016-10190-08770d1e",
"signature_version": "v1",
"source": "https://github.com/ffmpeg/ffmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa",
"deprecated": false
},
{
"digest": {
"length": 4320.0,
"function_hash": "12610718817939929222738398655267156227"
},
"target": {
"file": "libavformat/http.c",
"function": "http_connect"
},
"signature_type": "Function",
"id": "CVE-2016-10190-0ce4b0a7",
"signature_version": "v1",
"source": "https://github.com/ffmpeg/ffmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa",
"deprecated": false
},
{
"digest": {
"length": 1750.0,
"function_hash": "302717158320484032752066418671647662494"
},
"target": {
"file": "libavformat/http.c",
"function": "http_read_stream"
},
"signature_type": "Function",
"id": "CVE-2016-10190-2f73aea5",
"signature_version": "v1",
"source": "https://github.com/ffmpeg/ffmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa",
"deprecated": false
},
{
"digest": {
"length": 1218.0,
"function_hash": "6516275375144746073299497260326148662"
},
"target": {
"file": "libavformat/http.c",
"function": "http_seek_internal"
},
"signature_type": "Function",
"id": "CVE-2016-10190-6c648151",
"signature_version": "v1",
"source": "https://github.com/ffmpeg/ffmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa",
"deprecated": false
},
{
"digest": {
"length": 668.0,
"function_hash": "29291998720851582992351322556084772994"
},
"target": {
"file": "libavformat/http.c",
"function": "http_read_header"
},
"signature_type": "Function",
"id": "CVE-2016-10190-6e795f3b",
"signature_version": "v1",
"source": "https://github.com/ffmpeg/ffmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa",
"deprecated": false
},
{
"digest": {
"length": 4144.0,
"function_hash": "230933525932273812045672291144973050095"
},
"target": {
"file": "libavformat/http.c",
"function": "process_line"
},
"signature_type": "Function",
"id": "CVE-2016-10190-7161a4f2",
"signature_version": "v1",
"source": "https://github.com/ffmpeg/ffmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa",
"deprecated": false
},
{
"digest": {
"length": 1871.0,
"function_hash": "150729267673974336767668852687675522780"
},
"target": {
"file": "libavformat/http.c",
"function": "http_proxy_open"
},
"signature_type": "Function",
"id": "CVE-2016-10190-77fbd344",
"signature_version": "v1",
"source": "https://github.com/ffmpeg/ffmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa",
"deprecated": false
},
{
"digest": {
"length": 995.0,
"function_hash": "80694966203472736538792799490348615589"
},
"target": {
"file": "libavformat/http.c",
"function": "http_open"
},
"signature_type": "Function",
"id": "CVE-2016-10190-aa69c7ad",
"signature_version": "v1",
"source": "https://github.com/ffmpeg/ffmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa",
"deprecated": false
},
{
"digest": {
"length": 858.0,
"function_hash": "278051685018924489094697474612484937283"
},
"target": {
"file": "libavformat/http.c",
"function": "http_buf_read"
},
"signature_type": "Function",
"id": "CVE-2016-10190-b20cd40c",
"signature_version": "v1",
"source": "https://github.com/ffmpeg/ffmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa",
"deprecated": false
},
{
"digest": {
"length": 658.0,
"function_hash": "13106501879363286127811322793886100134"
},
"target": {
"file": "libavformat/http.c",
"function": "store_icy"
},
"signature_type": "Function",
"id": "CVE-2016-10190-c1942b99",
"signature_version": "v1",
"source": "https://github.com/ffmpeg/ffmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa",
"deprecated": false
}
]