What is CVE-2016-2196?

CVE-2016-2196 is a critical-severity vulnerability in Botan_project Botan, classified under Improper Restriction of Operations within the Bounds of a Memory Buffer. CVSS score: 9.8/10. Published 2016-05-13.

How severe is CVE-2016-2196?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2016-2196 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Buffer overflow in Botan_project Botan

CVE-2016-2196

Heap-based buffer overflow in the P-521 reduction function in Botan 1.11.x before 1.11.27 allows remote attackers to cause a denial of service (memory overwrite and crash) or execute arbitrary code via unspecified vectors.

Vulnerability class: Buffer Overflow

EPSS: 0.046 (89.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Botan_project Botan — versions 1.11.0, 1.11.1, 1.11.2
N/a — versions n/a

Weakness classification (CWE)

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer

Public proof-of-concept exploits

mrash/afl-cve

References

[botan-devel] 20160201 Botan 1.11.28 and 1.10.11 released with security fixes (Vendor Advisory, mailing-list, x_refsource_MLIST)
cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)

Frequently asked questions

What is CVE-2016-2196?: CVE-2016-2196 is a critical-severity vulnerability in Botan_project Botan, classified under Improper Restriction of Operations within the Bounds of a Memory Buffer. CVSS score: 9.8/10. Published 2016-05-13.
How severe is CVE-2016-2196?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2016-2196 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.