CVE-2016-9841 : inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecif

inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

Published 2017-05-23 04:29:02

Updated 2022-08-16 13:02:20

Source SUSE

View at NVD, CVE.org

Products affected by CVE-2016-9841

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 7.4
cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 7.5
cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Satellite » Version: 5.8
cpe:2.3:a:redhat:satellite:5.8:*:*:*:*:*:*:*
Matching versions
Apple » Mac Os X
Versions from including (>=) 10.0.0 and before (<) 10.13.0
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os
Versions before (<) 11
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Matching versions
Apple » Watchos
Versions before (<) 4
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Matching versions
Apple » Tvos
Versions before (<) 11.0
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
Matching versions
Oracle » Database Server » Version: 18C
cpe:2.3:a:oracle:database_server:18c:*:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 1.7.0 Update Update151
cpe:2.3:a:oracle:jdk:1.7.0:update151:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 1.8.0 Update Update144
cpe:2.3:a:oracle:jdk:1.8.0:update144:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 1.6.0 Update Update161
cpe:2.3:a:oracle:jdk:1.6.0:update161:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 1.6.0 Update Update161
cpe:2.3:a:oracle:jre:1.6.0:update161:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 1.8.0 Update Update144
cpe:2.3:a:oracle:jre:1.8.0:update144:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 1.7.0 Update Update151
cpe:2.3:a:oracle:jre:1.7.0:update151:*:*:*:*:*:*
Matching versions
Oracle » Mysql
Versions from including (>=) 5.6.0 and up to, including, (<=) 5.6.41
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql
Versions from including (>=) 5.7.0 and up to, including, (<=) 5.7.23
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql
Versions from including (>=) 5.5.0 and up to, including, (<=) 5.5.61
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql
Versions from including (>=) 8.0.0 and up to, including, (<=) 8.0.12
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
Matching versions
Opensuse » Opensuse » Version: 13.2
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 42.1
cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 42.2
cpe:2.3:o:opensuse:leap:42.2:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Balance » Version: N/A
cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Workflow Automation » Version: N/A
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Insight » Version: N/A
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Backup » Version: N/A
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Unified Manager » For Windows
Versions up to, including, (<=) 7.1
cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:windows:*:*
Matching versions
Netapp » Oncommand Unified Manager » For Vsphere
Versions up to, including, (<=) 7.1
cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vsphere:*:*
Matching versions
Netapp » Oncommand Unified Manager » Version: N/A For 7-mode
cpe:2.3:a:netapp:oncommand_unified_manager:-:*:*:*:*:7-mode:*:*
Matching versions
Netapp » Snapmanager » Version: N/A For Oracle
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*
Matching versions
Netapp » Snapmanager » Version: N/A For SAP
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*
Matching versions
Netapp » Steelstore Cloud Integrated Storage » Version: N/A
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
Matching versions
Netapp » E-series Santricity Os Controller
Versions from including (>=) 11.0.0 and up to, including, (<=) 11.70.1
cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*
Matching versions
Netapp » E-series Santricity Management » Version: N/A For Vmware Vasa
cpe:2.3:a:netapp:e-series_santricity_management:-:*:*:*:*:vmware_vasa:*:*
Matching versions
Netapp » E-series Santricity Management » Version: N/A For Vmware Sra
cpe:2.3:a:netapp:e-series_santricity_management:-:*:*:*:*:vmware_sra:*:*
Matching versions
Netapp » E-series Santricity Management » Version: N/A For Vmware Vcenter
cpe:2.3:a:netapp:e-series_santricity_management:-:*:*:*:*:vmware_vcenter:*:*
Matching versions
Netapp » E-series Santricity Storage Manager » Version: N/A
cpe:2.3:a:netapp:e-series_santricity_storage_manager:-:*:*:*:*:*:*:*
Matching versions
Netapp » E-series Santricity Web Services » Version: N/A For Web Services Proxy
cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*
Matching versions
Netapp » Virtual Storage Console » Version: N/A For Vmware Vsphere
cpe:2.3:a:netapp:virtual_storage_console:-:*:*:*:*:vmware_vsphere:*:*
Matching versions
Netapp » Solidfire » Version: N/A
cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
Matching versions
Netapp » Hci Storage Node » Version: N/A
cpe:2.3:h:netapp:hci_storage_node:-:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Performance Manager » Version: N/A For Vmware Vsphere
cpe:2.3:a:netapp:oncommand_performance_manager:-:*:*:*:*:vmware_vsphere:*:*
Matching versions
Netapp » Oncommand Shift » Version: N/A
cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*
Matching versions
Netapp » Active Iq Unified Manager » For Vmware Vsphere
Versions from including (>=) 9.5
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*
Matching versions
Netapp » Active Iq Unified Manager » For Windows
Versions from including (>=) 7.3
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*
Matching versions
Netapp » Storage Replication Adapter For Clustered Data Ontap » Version: N/A For Vmware Vsphere
cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap:-:*:*:*:*:vmware_vsphere:*:*
Matching versions
Netapp » Vasa Provider For Clustered Data Ontap
Versions from including (>=) 7.2
cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:*:*:*:*:*:*:*:*
Matching versions
Netapp » Symantec Netbackup » Version: N/A
cpe:2.3:a:netapp:symantec_netbackup:-:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 7.0.0 and before (<) 7.6.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Nodejs » Node.js » LTS Edition
Versions from including (>=) 6.9.0 and before (<) 6.10.2
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 6.0.0 and up to, including, (<=) 6.8.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Nodejs » Node.js » LTS Edition
Versions from including (>=) 4.2.0 and before (<) 4.8.2
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 4.0.0 and up to, including, (<=) 4.1.2
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Zlib » Zlib
Versions from including (>=) 1.2.0 and before (<) 1.2.9
cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2016-9841

Top countries where our scanners detected CVE-2016-9841

Top open port discovered on systems with this issue 80

IPs affected by CVE-2016-9841 2,882

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2016-9841!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2016-9841

EPSS FAQ

18.98%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 95 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-9841

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2016-9841

https://access.redhat.com/errata/RHSA-2017:1222

RHSA-2017:1222 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:1220

RHSA-2017:1220 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://support.apple.com/HT208112

About the security content of iOS 11 - Apple Support
Third Party Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1039427

Apple macOS/OS X Multiple Flaws Let Remote and Local Users Bypass Security and Deny Service, Local Users Obtain Potentially Sensitive Information, and Applications Gain Elevated Privileges - SecurityT
Broken Link;Third Party Advisory;VDB Entry

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html

openSUSE-SU-2016:3202-1: moderate: Security update for zlib
Mailing List;Third Party Advisory

CVEs referencing this url
https://support.apple.com/HT208113

About the security content of tvOS 11 - Apple Support
Third Party Advisory

CVEs referencing this url
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

CPU Oct 2018
Patch;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:3046

RHSA-2017:3046 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html

[SECURITY] [DLA 1725-1] rsync security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujul2020.html

Oracle Critical Patch Update Advisory - July 2020
Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/95131

zlib Multiple Denial of Service Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url
https://usn.ubuntu.com/4292-1/

USN-4292-1: rsync vulnerabilities | Ubuntu security notices | Ubuntu
Third Party Advisory

CVEs referencing this url
https://support.apple.com/HT208115

About the security content of watchOS 4 - Apple Support
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:2999

RHSA-2017:2999 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://support.apple.com/HT208144

About the security content of macOS High Sierra 10.13 - Apple Support
Third Party Advisory

CVEs referencing this url
https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb

Use post-increment only in inffast.c. · madler/zlib@9aaec95 · GitHub
Patch;Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html

openSUSE-SU-2017:0080-1: moderate: Security update for zlib
Mailing List;Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/4246-1/

USN-4246-1: zlib vulnerabilities | Ubuntu security notices | Ubuntu
Third Party Advisory

CVEs referencing this url
https://wiki.mozilla.org/images/0/09/Zlib-report.pdf

Exploit;Technical Description;Third Party Advisory

CVEs referencing this url
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Oracle Critical Patch Update - October 2017
Patch;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:1221

RHSA-2017:1221 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib

MOSS/Secure Open Source/Completed - MozillaWiki
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:3047

RHSA-2017:3047 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20171019-0001/

October 2017 Java Platform Standard Edition Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1039596

Oracle Java SE Multiple Flaws Let Remote Users Access and Modify Data, Deny Service, and Gain Elevated Privileges - SecurityTracker
Broken Link;Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2016/12/05/21

oss-security - Re: CVE Request: zlib security issues found during audit
Mailing List;Patch;Third Party Advisory;VDB Entry

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=1402346

1402346 – (CVE-2016-9841) CVE-2016-9841 zlib: Out-of-bounds pointer arithmetic in inffast.c
Issue Tracking
https://access.redhat.com/errata/RHSA-2017:3453

RHSA-2017:3453 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

CPU July 2018
Patch;Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html

openSUSE-SU-2017:0077-1: moderate: Security update for zlib
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/201701-56

zlib: Multiple vulnerabilities (GLSA 201701-56) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/202007-54

rsync: Multiple vulnerabilities (GLSA 202007-54) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html

[SECURITY] [DLA 2085-1] zlib security update
Mailing List;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-9841

Products affected by CVE-2016-9841

Threat overview for CVE-2016-9841

Exploit prediction scoring system (EPSS) score for CVE-2016-9841

CVSS scores for CVE-2016-9841

References for CVE-2016-9841