Vulnerability Details : CVE-2016-1628
pi.c in OpenJPEG, as used in PDFium in Google Chrome before 48.0.2564.109, does not validate a certain precision value, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via a crafted JPEG 2000 image in a PDF document, related to the opj_pi_next_rpcl, opj_pi_next_pcrl, and opj_pi_next_cprl functions.
Vulnerability category: Execute codeDenial of service
Products affected by CVE-2016-1628
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-1628
1.01%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-1628
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
6.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
2.8
|
3.4
|
NIST |
CWE ids for CVE-2016-1628
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-1628
-
http://www.debian.org/security/2016/dsa-3486
Debian -- Security Information -- DSA-3486-1 chromium-browser
-
http://www.securitytracker.com/id/1035183
Google Chrome Bugs Let Remote Users Execute Arbitrary Code and Bypass Security Restrictions - SecurityTracker
-
http://googlechromereleases.blogspot.com/2016/02/stable-channel-update_9.html
Chrome Releases: Stable Channel Update
-
http://www.zerodayinitiative.com/advisories/ZDI-16-172/
ZDI-16-172 | Zero Day Initiative
-
https://security.gentoo.org/glsa/201710-26
OpenJPEG: Multiple vulnerabilities (GLSA 201710-26) — Gentoo security
-
https://code.google.com/p/chromium/issues/detail?id=571479
571479 - ZDI-CAN-3432: New Vulnerability Report - chromium - Monorail
-
https://codereview.chromium.org/1590593002
Issue 1590593002: Merge to XFA: openjpeg: Fix potential bad precno value in opj_pi_next* functions. - Code Review
-
https://security.gentoo.org/glsa/201603-09
Chromium: Multiple vulnerabilities (GLSA 201603-09) — Gentoo security
-
http://www.debian.org/security/2017/dsa-4013
Debian -- Security Information -- DSA-4013-1 openjpeg2
-
http://www.securityfocus.com/bid/83125
Google Chrome Prior to 48.0.2564.109 Multiple Security Vulnerabilities
-
http://rhn.redhat.com/errata/RHSA-2016-0241.html
RHSA-2016:0241 - Security Advisory - Red Hat Customer Portal
Jump to