CVE-2016-9643 — Uncontrolled Resource Consumption in Webkit

CWE-400 — Uncontrolled Resource Consumption9 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.9%

top 24.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple IOS Apple Safari Apple Tvos +2 more

Timeline

PublishedMar 7

Latest updateMay 17

Description

The regex code in Webkit 2.4.11 allows remote attackers to cause a denial of service (memory consumption) as demonstrated in a large number of ($ (open parenthesis and dollar) followed by {-2,16} and a large number of +) (plus close parenthesis).

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDwebkit/webkit2.4.11

▶Appleapple/ios10.3

▶Appleapple/tvos10.2

▶Appleapple/safari10.1

▶Appleapple/watchos3.2

🔴Vulnerability Details

GHSA

GHSA-4mcp-j554-p27j: The regex code in Webkit 2↗2022-05-17

▶

CVEList

CVE-2016-9643: The regex code in Webkit 2↗2017-03-07

▶

OSV

CVE-2016-9643: The regex code in Webkit 2↗2017-03-07

▶

📋Vendor Advisories

Ubuntu

WebKitGTK+ vulnerabilities↗2017-04-10

▶

Apple

CVE-2016-9643: watchOS 3.2↗2017-03-27

▶

Apple

CVE-2016-9643: iOS 10.3↗2017-03-27

▶

Apple

CVE-2016-9643: Safari 10.1↗2017-03-27

▶

Apple

CVE-2016-9643: tvOS 10.2↗2017-03-27

▶