Heap-based buffer overflow in FFmpeg - CVE-2016-6920
Published: October 9, 2018 / Updated: June 8, 2025
Vulnerability identifier: #VU110564
CSH Severity: Medium
CVSS v4.0:
CVE-ID: CVE-2016-6920
CWE-ID: CWE-122
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ffmpeg.sourceforge.net
Affected software:
FFmpeg
FFmpeg
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Heap-based buffer overflow in the decode_block function in libavcodec/exr.c in FFmpeg before 3.1.3. A remote attacker can use vectors involving tile positions. to trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2016-6920
Install update from vendor's website.
Sources
- http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79f52a0dbd484aad111e4bf4a4f7047c7ceb6137
- http://packetstormsecurity.com/files/138618/ffmpeg-3.1.2-Heap-Overflow.html
- http://www.securityfocus.com/archive/1/539368/100/0/threaded
- http://www.securityfocus.com/bid/92664
- http://www.securityfocus.com/bid/92790
- https://www.ffmpeg.org/security.html