CVE-2016-9132 — Integer Overflow or Wraparound in Project Botan

CWE-190 — Integer Overflow or Wraparound6 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.3%

top 50.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Botan Project Botan

Timeline

PublishedJan 30

Latest updateMay 17

Description

In Botan 1.8.0 through 1.11.33, when decoding BER data an integer overflow could occur, which would cause an incorrect length field to be computed. Some API callers may use the returned (incorrect and attacker controlled) length field in a way which later causes memory corruption or other failure.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDbotan_project/botan84 versions+83

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-674g-g96j-pr63: In Botan 1↗2022-05-17

▶

OSV

CVE-2016-9132: In Botan 1↗2017-01-30

▶

💬Community

Bugzilla

CVE-2016-9132 botan: Integer overflow in BER decoder [epel-all]↗2016-12-02

▶

Bugzilla

CVE-2016-9132 botan: Integer overflow in BER decoder↗2016-12-02

▶

Bugzilla

CVE-2016-9132 botan: Integer overflow in BER decoder [fedora-all]↗2016-12-02

▶