CVE-2016-2177: OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service…

critical9.8CVSS 3.0

AVNACLPRNUINSUCHIHAH

OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.

Affected

50 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	openssl	< openssl 1.0.2i-1 (bookworm)	openssl 1.0.2i-1 (bookworm)
hp	icewall_mcrp	—	—
hp	icewall_sso	—	—
hp	icewall_sso_agent_option	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

osv9.8CRITICAL