VDB
CVE-2016-9939
CVE-2016-9939
PUBLISHED
Crypto++ (aka cryptopp and libcrypto++) 5.6.4 contained a bug in its ASN.1 BER decoding routine. The library will allocate a memory block based on the length field of the ASN.1 object. If there is not enough content octets in the ASN.1 object, then the function will fail and the memory block will be zeroed even if its unused. There is a noticeable delay during the wipe for a large allocation.
EPSS 5.92% · 90.8th percentile
Risk Scores
EPSS Score
5.92%
90.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:14.04:LTS | libcrypto++ | 0, 5.6.1-6, 5.6.1-6+deb8u1build0.14.04.1 |
| Ubuntu:16.04:LTS | libcrypto++ | 0, 5.6.1-8, 5.6.1-9 |
Exploit Intelligence
- [oss-security] 20161212 Re: CVE Request: Potential DoS in Crypto++ ASN.1 parser (circl)
- DSA-3748 (circl)
- 94854 (circl)
- FEDORA-2019-812b77ed2e (circl)
Timeline
- Jan 30, 2017 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
- May 25, 2023 EPSS Score
- Jul 16, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2016-9939 third-party-advisory
- https://github.com/weidai11/cryptopp/issues/346 third-party-advisory
- http://www.openwall.com/lists/oss-security/2016/12/12/6 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2016-9939 third-party-advisory