CVE-2016-9841

critical-risk

Published 2017-05-23

inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

Do I need to act?

!

13.5% chance of exploitation in next 30 days

EPSS score — higher than 87% of all CVEs

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

+

Fix available

Upgrade to: 2fa463bacfff79181df1a5270fb67cc679a53e71, 9aaec95e82117c1cb0f9624264c3618fc380cecb, ab4af087e83d91a46354d765306d3543b1d85423, cea049bcf8bb0f9a6e0095dbd5dffdb14dc8f71b, ea2ceac846abb279fd4d141bfe32fc4f7a6e30e0, fbc9fded2fb4caa104e55146e6fa4fc2c3d11daf, bebda6df68c71f233a2ee212b2569ae6e70b48a9

9

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Leap

Opensuse

Debian Linux

Ubuntu Linux

Ubuntu Linux

Jdk

Jre

Mysql

Satellite

Enterprise Linux Desktop

Enterprise Linux Eus

Enterprise Linux Server

Enterprise Linux Server

Enterprise Linux Workstation

Enterprise Linux Workstation

Iphone Os

Mac Os X

Tvos

Watchos

Active Iq Unified Manager

Affected Vendors

Nodejs Redhat Apple Netapp Oracle Debian Zlib Opensuse Canonical

References (66)

http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html

http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html

http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html

http://www.openwall.com/lists/oss-security/2016/12/05/21

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/95131

http://www.securitytracker.com/id/1039427

http://www.securitytracker.com/id/1039596

https://access.redhat.com/errata/RHSA-2017:1220

https://access.redhat.com/errata/RHSA-2017:1221

https://access.redhat.com/errata/RHSA-2017:1222

https://access.redhat.com/errata/RHSA-2017:2999

https://access.redhat.com/errata/RHSA-2017:3046

https://access.redhat.com/errata/RHSA-2017:3047

https://access.redhat.com/errata/RHSA-2017:3453

https://bugzilla.redhat.com/show_bug.cgi?id=1402346

https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb

https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html

and 46 more references

70

/ 100

critical-risk

Severity 32/34 · Critical

Exploitability 12/34 · Low

Exposure 26/34 · High