CVE-2016-9840

HIGH

zlib <1.2.8 - Info Disclosure

Title source: llm

Description

inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

References (30)

[Third Party Advisory] http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html

[Third Party Advisory] http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2016/12/05/21

[Third Party Advisory] http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

[Third Party Advisory] http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

[Broken Link] http://www.securityfocus.com/bid/95131

[Broken Link] http://www.securitytracker.com/id/1039427

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1220

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1221

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1222

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:2999

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:3046

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:3047

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:3453

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1402345

[Patch, Third Party Advisory] https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0

View Patch ZIP pw:eip

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html

[Third Party Advisory] https://security.gentoo.org/glsa/201701-56

... and 10 more

Scores

CVSS v3 8.8

EPSS 0.1300

EPSS Percentile 93.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

Status draft

Affected Products (31)

boost/boost < 1.78.0

zlib/zlib < 1.2.9

opensuse/leap

opensuse/opensuse

debian/debian_linux

canonical/ubuntu_linux

oracle/database_server

oracle/jdk

oracle/jre

... and 16 more

Timeline

Published May 23, 2017

Tracked Since Feb 18, 2026