CVE-2016-9939 — Improper Input Validation in Libcrypto

CWE-20 — Improper Input Validation7 documents5 sources

Severity

7.5HIGHNVD

EPSS

5.9%

top 9.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Libcrypto Cryptopp Crypto Debian Linux

Timeline

PublishedJan 30

Latest updateMay 14

Description

Crypto++ (aka cryptopp and libcrypto++) 5.6.4 contained a bug in its ASN.1 BER decoding routine. The library will allocate a memory block based on the length field of the ASN.1 object. If there is not enough content octets in the ASN.1 object, then the function will fail and the memory block will be zeroed even if its unused. There is a noticeable delay during the wipe for a large allocation.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDcryptopp/crypto5.6.4

▶debiandebian/libcrypto< libcrypto++ 5.6.4-5 (bookworm)

Also affects: Debian Linux 8.0

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-x7wj-9rr2-gfcg: Crypto++ (aka cryptopp and libcrypto++) 5↗2022-05-14

▶

OSV

CVE-2016-9939: Crypto++ (aka cryptopp and libcrypto++) 5↗2017-01-30

▶

📋Vendor Advisories

Debian

CVE-2016-9939: libcrypto++ - Crypto++ (aka cryptopp and libcrypto++) 5.6.4 contained a bug in its ASN.1 BER d...↗2016

▶

💬Community

Bugzilla

CVE-2016-9939 cryptopp: DoS in ASN.1 parser due to octet processing [epel-all]↗2016-12-13

▶

Bugzilla

CVE-2016-9939 cryptopp: DoS in ASN.1 parser due to octet processing↗2016-12-13

▶

Bugzilla

CVE-2016-9939 cryptopp: DoS in ASN.1 parser due to octet processing [fedora-all]↗2016-12-13

▶