CVE-2016-0718

CRITICAL severity · CVSS 9.8 · Memory corruption

9.8CVSS CRITICAL

Summary

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)3%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (5)

Python Ubuntu Debian Mozilla Firefox SUSE Linux Enterprise

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.htmlAdvisory
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00064.htmlAdvisory
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00006.htmlAdvisory
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00007.htmlAdvisory
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00010.htmlAdvisory
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.htmlAdvisory
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.htmlAdvisory
http://packetstormsecurity.com/files/141350/ESET-Endpoint-Antivirus-6-Remote-Code-Execution.htmlAdvisory