CVE-2016-2107

MEDIUM

Redhat Enterprise Linux Desktop < 1.0.1s - Information Disclosure

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2016-2107. PoCs published by Juraj Somorovsky, FiloSottile, tmiklas.

AI-analyzed exploit summary This exploit leverages a padding oracle vulnerability in OpenSSL (CVE-2016-2107) by sending malformed TLS Finished messages to trigger incorrect error handling. The provided XML configuration for TLS-Attacker demonstrates the attack by manipulating the plaintext bytes in the Finished message.

Description

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Juraj Somorovsky · textdosmultiple
https://www.exploit-db.com/exploits/39768

This exploit leverages a padding oracle vulnerability in OpenSSL (CVE-2016-2107) by sending malformed TLS Finished messages to trigger incorrect error handling. The provided XML configuration for TLS-Attacker demonstrates the attack by manipulating the plaintext bytes in the Finished message.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: OpenSSL versions 1.0.1 before 1.0.1t and 1.0.2 before 1.0.2h
No auth needed
Prerequisites: TLS-Attacker tool · Network access to vulnerable OpenSSL server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 194 stars
by FiloSottile · poc
https://github.com/FiloSottile/CVE-2016-2107

This repository contains a functional exploit PoC for CVE-2016-2107, a vulnerability in OpenSSL's ASN.1 parser that allows remote attackers to cause a denial-of-service (DoS) via a crafted TLS message. The code includes a test function that sends a malformed TLS record to trigger the vulnerability and checks for specific error responses.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: OpenSSL (versions affected by CVE-2016-2107)
No auth needed
Prerequisites: Network access to a vulnerable OpenSSL server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by tmiklas · poc
https://github.com/tmiklas/docker-cve-2016-2107

This repository contains a Dockerized test for CVE-2016-2107, a padding oracle vulnerability in OpenSSL CBC ciphersuites. The Dockerfile sets up a container with a statically linked binary to test the vulnerability, referencing Filippo Valsorda's original exploit code.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: OpenSSL (versions affected by CVE-2016-2107)
No auth needed
Prerequisites: Network access to a vulnerable OpenSSL server
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (58)

Core 58
Core References
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00014.html
Third Party Advisory vendor-advisory
http://rhn.redhat.com/errata/RHSA-2016-2073.html
Third Party Advisory vendor-advisory
http://www.debian.org/security/2016/dsa-3566
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/201612-16
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00008.html
Third Party Advisory, VDB Entry vdb-entry
http://www.securitytracker.com/id/1035721
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00001.html
Mailing List, Third Party Advisory vendor-advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184605.html
Mailing List, Third Party Advisory vendor-advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183607.html
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00016.html
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00019.html
Mailing List, Third Party Advisory vendor-advisory
http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00011.html
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00013.html
Third Party Advisory vendor-advisory
http://rhn.redhat.com/errata/RHSA-2016-0996.html
Third Party Advisory, VDB Entry vdb-entry
http://www.securityfocus.com/bid/91787
Third Party Advisory, VDB Entry vdb-entry
http://www.securityfocus.com/bid/89760
Third Party Advisory vendor-advisory
http://rhn.redhat.com/errata/RHSA-2016-2957.html
Third Party Advisory vendor-advisory
http://www.ubuntu.com/usn/USN-2959-1
Third Party Advisory vendor-advisory
http://rhn.redhat.com/errata/RHSA-2016-0722.html
Mailing List, Third Party Advisory vendor-advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183457.html
Third Party Advisory
https://support.apple.com/HT206903
Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/39768/

Scores

CVSS v3 5.9
EPSS 0.8906
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200 CWE-310
Status published
Products (47)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 15.10
canonical/ubuntu_linux 16.04
debian/debian_linux 8.0
google/android 4.0
google/android 4.0.1
google/android 4.0.2
google/android 4.0.3
google/android 4.0.4
... and 37 more
Published May 05, 2016
Tracked Since Feb 18, 2026