CVE-2016-2842Improper Restriction of Operations within the Bounds of a Memory Buffer in Openssl

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-787Out-of-bounds WriteCWE-200Sensitive Information ExposureCWE-310CWE-39926 documents12 sources
Severity
9.8CRITICALNVD
EPSS
54.0%
top 1.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
OpensslDebian OpensslPaloalto Pan-os+1 more
Timeline
PublishedMar 3
Latest updateNov 11

Description

The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

debiandebian/openssl< openssl 1.0.2g-1 (bookworm)
Debianopenssl/openssl< 1.0.2g-1+3
NVDopenssl/openssl26 versions+25
Palo Altopaloalto/pan-os

🔴Vulnerability Details

4
GHSA
GHSA-jj34-65xr-hwrp: The doapr_outch function in crypto/bio/b_print2022-05-14
GHSA
GHSA-x493-jjcm-ffg2: The fmtstr function in crypto/bio/b_print2022-05-14
OSV
CVE-2016-0799: The fmtstr function in crypto/bio/b_print2016-03-03
OSV
CVE-2016-2842: The doapr_outch function in crypto/bio/b_print2016-03-03

📋Vendor Advisories

11
CISA ICS
Siemens SCALANCE X-200RNA Switch Devices2022-12-19
CISA ICS
Advantech Spectre RT Industrial Routers2021-02-23
Palo Alto
PAN-SA-2016-0020 OpenSSL Vulnerabilities2016-08-15
Android
CVE-2016-2842: Android Security Bulletin 2016-08-01 CVE: CVE-2016-2842 Affected AOSP versions: 42016-08-01
Red Hat
openssl: doapr_outch function does not verify that certain memory allocation succeeds2016-03-03

📄Research Papers

4
arXiv
From LLMs to Agents: A Comparative Evaluation of LLMs and LLM-based Agents in Security Patch Detection2025-11-11
arXiv
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware2022-12-29
arXiv
A Novel Model for Vulnerability Analysis through Enhanced Directed Graphs and Quantitative Metrics2021-12-13
arXiv
Hey Google, What Exactly Do Your Security Patches Tell Us? A Large-Scale Empirical Study on Android Patched Vulnerabilities2019-05-22

💬Community

5
Bugzilla
CVE-2016-2842 openssl: doapr_outch function does not verify that certain memory allocation succeeds2016-03-04
Bugzilla
CVE-2016-2842 mingw-openssl: openssl: doapr_outch function does not verify that certain memory allocation succeeds [fedora-all]2016-03-04
Bugzilla
CVE-2016-2842 openssl: doapr_outch function does not verify that certain memory allocation succeeds [fedora-all]2016-03-04
Bugzilla
CVE-2016-2842 openssl101e: openssl: doapr_outch function does not verify that certain memory allocation succeeds [epel-5]2016-03-04
Bugzilla
CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions2016-02-26
CVE-2016-2842 — Debian Openssl vulnerability | cvebase