CVE-2016-10196 — HIGH (7.5)

Q: How severe is CVE-2016-10196?

CVE-2016-10196 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-10196?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Libevent Project Libevent, Mozilla Firefox, Mozilla Thunderbird.

Vulnerability Description

Stack-based buffer overflow in the evutil_parse_sockaddr_port function in evutil.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (segmentation fault) via vectors involving a long string in brackets in the ip_as_string argument.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Debian	Debian Linux	8.0
Libevent Project	Libevent	<= 2.1.5
Mozilla	Firefox	< 45.9.0
Mozilla	Thunderbird	< 52.1.0

Related Weaknesses (CWE)

CWE-787

References

http://www.debian.org/security/2017/dsa-3789Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/01/31/17Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2017/02/02/7Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/96014Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1038320Broken LinkThird Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2017:1104Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1106Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1201Third Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1343453Issue TrackingThird Party Advisory
https://github.com/libevent/libevent/blob/release-2.1.6-beta/ChangeLogRelease NotesThird Party Advisory
https://github.com/libevent/libevent/commit/329acc18a0768c21ba22522f01a5c7f46cacPatchThird Party Advisory
https://github.com/libevent/libevent/issues/318ExploitIssue TrackingThird Party Advisory
https://security.gentoo.org/glsa/201705-01Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2017-10/Third Party Advisory
https://www.mozilla.org/security/advisories/mfsa2017-11/Third Party Advisory

FAQ

What is CVE-2016-10196?

CVE-2016-10196 is a vulnerability with a CVSS score of 7.5 (HIGH). Stack-based buffer overflow in the evutil_parse_sockaddr_port function in evutil.c in libevent before 2.1.6-beta allows attackers to cause a denial of service (segmentation fault) via vectors involvin...

How severe is CVE-2016-10196?

CVE-2016-10196 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-10196?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Libevent Project Libevent, Mozilla Firefox, Mozilla Thunderbird.