CVE-2016-6354 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Flex
Severity
9.8CRITICALNVD
EPSS
37.7%
top 2.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 21
Latest updateMay 17
Description
Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages13 packages
Also affects: Debian Linux 8.0, Enterprise Linux 6.0, 7.0, 7.3, 7.4, 7.5
Patches
🔴Vulnerability Details
4GHSA▶
GHSA-4c6r-jqvh-f3hm: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2↗2022-05-17
GHSA▶
GHSA-gpr5-cvq3-j445: Fixed potential buffer overflows in generated Firefox code due to CVE-2016-6354 issue in Flex↗2022-05-14
OSV▶
CVE-2017-5469: Fixed potential buffer overflows in generated Firefox code due to CVE-2016-6354 issue in Flex↗2018-06-11
OSV▶
CVE-2016-6354: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2↗2016-09-21
📋Vendor Advisories
4💬Community
4Bugzilla▶
CVE-2017-5469 Mozilla: Potential Buffer overflow in flex-generated code (MFSA 2017-11, MFSA 2017-12)↗2017-04-19
Bugzilla
▶