cbcvebase.
CVE-2016-6309
published 2016-09-26

CVE-2016-6309: statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service…

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
70.22%
99.3th percentile
statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianopenssl
opensslopenssl

Detection & IOCsextracted from sources · hover to see the quote

pathstatem/statem.c
otherOpenSSL.Large.Message.Size.Handling.UAF
  • Trigger condition: crafted TLS handshake message with body size greater than 16KB causes realloc of init_buf, leaving init_msg pointer dangling (use-after-free in tls_get_message_body)
  • No authentication required to exploit; attack is fully remote and unauthenticated against any OpenSSL 1.1.0a TLS server
  • Detect oversized TLS handshake records (>16KB body) targeting OpenSSL 1.1.0a servers as a potential exploitation attempt for CVE-2016-6309
  • Vulnerable code path: read_state_machine() → tls_get_message_header() sets init_msg, then BUF_MEM_grow_clean() reallocates init_buf freeing the old buffer, then tls_get_message_body() dereferences the stale init_msg pointer
  • ·Vulnerability exclusively affects OpenSSL 1.1.0a; OpenSSL 1.1.0 users should upgrade to 1.1.0b. All other OpenSSL release series (1.0.x, etc.) are unaffected.
  • ·DTLS code path is not affected; the vulnerable realloc/use-after-free path is only reachable via the TLS (non-DTLS) handshake message processing branch
  • ·The vulnerability was introduced by the patch for CVE-2016-6307; deployments that applied the CVE-2016-6307 patch (OpenSSL 1.1.0a) without subsequently upgrading to 1.1.0b are at risk

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
vendor_cisco5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.