CVE-2016-4536

MEDIUM

OpenAFS < 1.6.17 - Information Exposure via Uninitialized RPC Structures

Title source: llm
STIX 2.1

Description

The client in OpenAFS before 1.6.17 does not properly initialize the (1) AFSStoreStatus, (2) AFSStoreVolumeStatus, (3) VldbListByAttributes, and (4) ListAddrByAttributes structures, which might allow remote attackers to obtain sensitive memory information by leveraging access to RPC call traffic.

References (3)

Core 3
Core References
Vendor Advisory x_refsource_confirm
https://www.openafs.org/dl/openafs/1.6.17/RELNOTES-1.6.17
Vendor Advisory mailing-list x_refsource_mlist
https://lists.openafs.org/pipermail/openafs-announce/2016/000496.html

Scores

CVSS v3 5.3
EPSS 0.0131
EPSS Percentile 67.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
openafs/openafs < 1.6.16
Published May 13, 2016
Tracked Since Feb 18, 2026