cbcvebase.
CVE-2016-2851
published 2016-04-07

CVE-2016-2851: Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application…

PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
25.40%
97.7th percentile
Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow.

Affected

10 ranges
VendorProductVersion rangeFixed in
cypherpunkslibotr<= 4.1.0
cypherpunkslibotr>= 0 < 4.1.1-14.1.1-1
cypherpunkslibotr>= 0 < 4.1.1-14.1.1-1
cypherpunkslibotr>= 0 < 4.1.1-14.1.1-1
cypherpunkslibotr>= 0 < 4.1.1-14.1.1-1
debiandebian_linux
debiandebian_linux
debianlibotr< libotr 4.1.1-1 (bookworm)libotr 4.1.1-1 (bookworm)
opensuseleap
opensuseopensuse

Detection & IOCsextracted from sources · hover to see the quote

command?OTR:AAMD
otherOTR fragmented message prefix: ?OTR,<k>,<n>,<body>,
bytes
datalen = 0xFFFFFFFF (pack('I', 0xFFFFFFFF))
  • Detect OTR messages with a declared datalen field of 0xFFFFFFFF (integer overflow trigger) in proto.c read_int path
  • Monitor for a large number of OTR message fragments sent in sequence to a single recipient — the PoC sends ~5.7 GB worth of fragments to trigger the heap overflow
  • Detect OTR DATA messages (type OTRL_MSGSTATE_DATA / OTRL_MSGSTATE_ENCRYPTED) arriving over XMPP/Jabber with abnormally large base64-encoded payloads
  • Flag OTR fragment storms: a single conversation receiving hundreds or thousands of ?OTR,k,n,... fragments where n is extremely large
  • The vulnerability is only exploitable on 64-bit platforms running libotr 4.1.0 and below; triage alerts accordingly
  • ·The integer overflow occurs because datalen is read into an 'unsigned int' (32-bit) while the surrounding length checks use size_t (64-bit), so the overflow only manifests on 64-bit architectures
  • ·No authentication or user interaction is required; the attacker only needs an established OTR session with the victim
  • ·The PoC exploit requires sending approximately 5.7 GB of fragmented OTR data, which may be rate-limited or blocked by transport-layer controls before reaching the vulnerable code path

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.