What is CVE-2015-8659?

CVE-2015-8659 is a critical-severity software vulnerability (Memory corruption) with a CVSS score of 10. The idle stream handling in nghttp2 before 1.6.0 allows attackers to have unspecified impact via unknown vectors, aka a heap-use-after-free bug.

Is CVE-2015-8659 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 4%.

What products does CVE-2015-8659 affect?

Tracked products affected include Apple iOS. Check the version you run to see whether it is affected.

How do I fix CVE-2015-8659?

Apply the vendor fix promptly. Upgrade affected products to a fixed version.

← All products

CVE-2015-8659

CRITICAL severity · CVSS 10 · Memory corruption

10CVSS CRITICAL

Summary

The idle stream handling in nghttp2 before 1.6.0 allows attackers to have unspecified impact via unknown vectors, aka a heap-use-after-free bug.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)4%

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products we track (1)

Apple iOS

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
http://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html
http://lists.apple.com/archives/security-announce/2016/Mar/msg00002.html
http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175085.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175423.html
http://www.openwall.com/lists/oss-security/2015/12/23/10
http://www.openwall.com/lists/oss-security/2015/12/23/6