CyberSec.Space Logo
Back to CVE Browser

CVE-2016-2851

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0410%
EPSS Percentile27.70th
PublishedApr 7, 2016
Last ModifiedMay 6, 2026

Vulnerability Description

Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow.

Affected Platforms (CPE)

πŸ’»
Debian

Debian Linux

= 7.0
πŸ’»
Debian

Debian Linux

= 8.0
πŸ’»
Opensuse

Leap

= 42.1
πŸ’»
Opensuse

Opensuse

= 13.2
πŸ“¦
Cypherpunks

Libotr

<= 4.1.0

References & Advisories

πŸ”— http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00021.html
πŸ”— http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00030.html
πŸ”— http://seclists.org/fulldisclosure/2016/Mar/21
πŸ”— http://www.debian.org/security/2016/dsa-3512
πŸ”— http://www.securityfocus.com/archive/1/537745/100/0/threaded
πŸ”— http://www.securityfocus.com/bid/84285
πŸ”— http://www.ubuntu.com/usn/USN-2926-1
πŸ”— https://lists.cypherpunks.ca/pipermail/otr-users/2016-March/002581.html

Related Vulnerabilities

CVE-1999-069810.0

Denial of service in IP protocol logger (ippl) on Red Hat and Debian Linux.

CVE-2026-234628.8

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: Fix possible UAF This fixes the following t...

CVE-2006-70948.5

ftpd, as used by Gentoo and Debian Linux, sets the gid to the effective uid instead of the effective group id before executing /bi...

CVE-2026-231717.8

In the Linux kernel, the following vulnerability has been resolved: bonding: fix use-after-free due to enslave fail after slave a...