{"id":"CVE-2019-1000016","details":"FFMPEG version 4.1 contains a CWE-129: Improper Validation of Array Index vulnerability in libavcodec/cbs_av1.c that can result in Denial of service. This attack appears to be exploitable via specially crafted AV1 file has to be provided as input. This vulnerability appears to have been fixed in after commit b97a4b658814b2de8b9f2a3bce491c002d34de31.","modified":"2026-04-11T08:05:27.077509Z","published":"2019-02-04T21:29:01.283Z","references":[{"type":"FIX","url":"https://github.com/FFmpeg/FFmpeg/commit/b97a4b658814b2de8b9f2a3bce491c002d34de31#diff-cd7e24986650014d67f484f3ffceef3f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ffmpeg/ffmpeg","events":[{"introduced":"0"},{"last_affected":"3c1ecb057d7621e57968624aa15ad3e9efc819f7"},{"fixed":"b97a4b658814b2de8b9f2a3bce491c002d34de31"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.1"}]}}],"versions":["N","n0.11-dev","n0.12-dev","n0.8","n1.1-dev","n1.2-dev","n1.3-dev","n2.0","n2.1-dev","n2.2-dev","n2.3-dev","n2.4-dev","n2.5-dev","n2.6-dev","n2.7-dev","n2.8-dev","n2.9-dev","n3.1-dev","n3.2-dev","n3.3-dev","n3.4-dev","n3.5-dev","n4.1-dev","n4.2-dev"],"database_specific":{"vanir_signatures_modified":"2026-04-11T08:05:27Z","vanir_signatures":[{"source":"https://github.com/ffmpeg/ffmpeg/commit/b97a4b658814b2de8b9f2a3bce491c002d34de31","id":"CVE-2019-1000016-292ed7fc","signature_type":"Function","digest":{"length":1150,"function_hash":"89444117216328218518583035460604298320"},"signature_version":"v1","deprecated":false,"target":{"function":"cbs_av1_read_uvlc","file":"libavcodec/cbs_av1.c"}},{"source":"https://github.com/ffmpeg/ffmpeg/commit/b97a4b658814b2de8b9f2a3bce491c002d34de31","id":"CVE-2019-1000016-e1b79d98","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["321295572572670918525148286506348567611","289852500054909543682538334728688575291","193244533724342410530647525899952233845","214797463541156415192408551011991976443","53916892076291730899723562119571785421","68927719715003826018277066812640800853","320690754486287057489344160172236894610","198387964548675118805079598481465447425","303594606354513090449115964580909267906","177067541395903204372217043531284125589","164941894537040192560274040673776061142","285719695401291495696726462552255759080","236266858221882228581663560465135782703","204398928467598529286369863425179002961","288178219440397391920397863783641015672","69603532653395982289555970996965072888","138256874776666067506120822703730896101","184250773318873500496574568041324544490","12453852004191580804410599405980122872","83476593161032958047552121203250388263","96288469099989301916110574098064771532","101242470385545152788037020515928727656","161834363356756362237259688894301299513","64569670998003463292681327026236972353","46081609064212988034441236296664816308","206756360061063170298627923325238541672","184914756760731491947110653836566069897","300878971176369106792569253791028642262","35733233210096105863055595671936786472","107793023149242824865663082404613850558","266101389920159126411280570295836428310","21730581360485534424783820309660847617","180960947245061805684032102215137326976","98845598526469452334296573721533565581","24624885597960863442703808069162291159"]},"signature_version":"v1","deprecated":false,"target":{"file":"libavcodec/cbs_av1.c"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-1000016.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}