CVE-2016-4536

MEDIUM

Openafs < 1.6.16 - Information Disclosure

Title source: rule

Description

The client in OpenAFS before 1.6.17 does not properly initialize the (1) AFSStoreStatus, (2) AFSStoreVolumeStatus, (3) VldbListByAttributes, and (4) ListAddrByAttributes structures, which might allow remote attackers to obtain sensitive memory information by leveraging access to RPC call traffic.

References (3)

[Vendor Advisory] https://lists.openafs.org/pipermail/openafs-announce/2016/000496.html

[Vendor Advisory] https://www.openafs.org/dl/openafs/1.6.17/RELNOTES-1.6.17

[Vendor Advisory] https://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt

Scores

CVSS v3 5.3

EPSS 0.0030

EPSS Percentile 52.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-200

Status draft

Affected Products (1)

openafs/openafs < 1.6.16

Timeline

Published May 13, 2016

Tracked Since Feb 18, 2026