{"id":"CVE-2016-5359","details":"epan/dissectors/packet-wbxml.c in the WBXML dissector in Wireshark 1.12.x before 1.12.12 mishandles offsets, which allows remote attackers to cause a denial of service (integer overflow and infinite loop) via a crafted packet.","modified":"2026-04-16T06:18:42.463161873Z","published":"2016-08-07T16:59:14.550Z","related":["SUSE-SU-2016:2212-1","SUSE-SU-2016:2453-1"],"references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/91140"},{"type":"ADVISORY","url":"https://www.wireshark.org/security/wnpa-sec-2016-38.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3615"},{"type":"REPORT","url":"https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12408"},{"type":"FIX","url":"https://github.com/wireshark/wireshark/commit/b8e0d416898bb975a02c1b55883342edc5b4c9c0"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2016/06/09/3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wireshark/wireshark","events":[{"introduced":"0"},{"last_affected":"4fab41a1f0e14e9124ea6a61e7bae42e95599495"},{"introduced":"0"},{"last_affected":"01b65bf3a8e3d2f856471b0bb5a7e38dabf815f3"},{"introduced":"0"},{"last_affected":"898fa22ad39718f1a7cb9976f61a4f85e4e72b05"},{"introduced":"0"},{"last_affected":"bb3e9a0fc7c94f7bde5b62aedfee06f748c1d37f"},{"introduced":"0"},{"last_affected":"b4861da48fa018a82f674161b7335c2e269d33ec"},{"introduced":"0"},{"last_affected":"5819e5b13c0bbd224fde5a4c900ad8e22f09b4cc"},{"introduced":"0"},{"last_affected":"ee1fce6fb32c55cf1af2fe1778f67eb77c0ff8d4"},{"introduced":"0"},{"last_affected":"7fc8978399fe7fe20bac8f2ef5f2f15eef4c4698"},{"introduced":"0"},{"last_affected":"5b6e543233efc5c8abfd8edd6fbf717f7ec3f632"},{"introduced":"0"},{"last_affected":"fadb421970e5e2103ebd15ca1e5d19b89d20efa0"},{"introduced":"0"},{"last_affected":"7f56a20e1e701216b3c31c3540022f604978b1e3"},{"introduced":"0"},{"last_affected":"c74c83c36c90e874c0aea0d98a84396852713d1e"},{"fixed":"b8e0d416898bb975a02c1b55883342edc5b4c9c0"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.12.0"},{"introduced":"0"},{"last_affected":"1.12.1"},{"introduced":"0"},{"last_affected":"1.12.2"},{"introduced":"0"},{"last_affected":"1.12.3"},{"introduced":"0"},{"last_affected":"1.12.4"},{"introduced":"0"},{"last_affected":"1.12.5"},{"introduced":"0"},{"last_affected":"1.12.6"},{"introduced":"0"},{"last_affected":"1.12.7"},{"introduced":"0"},{"last_affected":"1.12.8"},{"introduced":"0"},{"last_affected":"1.12.9"},{"introduced":"0"},{"last_affected":"1.12.10"},{"introduced":"0"},{"last_affected":"1.12.11"}]}}],"versions":["backups/ethereal@18706","ethereal-0-3-15","ethereal-0.3.15","start","v1.11.0","v1.11.0-rc1","v1.11.1","v1.11.1-rc1","v1.11.2","v1.11.2-rc1","v1.11.3","v1.11.3-rc1","v1.11.4-rc1","v1.12.0","v1.12.0-rc1","v1.12.0-rc2","v1.12.0rc0","v1.12.0rc3","v1.12.1","v1.12.10","v1.12.10rc0","v1.12.11","v1.12.11rc0","v1.12.12rc0","v1.12.2","v1.12.2rc0","v1.12.3","v1.12.3rc0","v1.12.4","v1.12.4rc0","v1.12.5","v1.12.5rc0","v1.12.6","v1.12.6rc0","v1.12.7","v1.12.7rc0","v1.12.8","v1.12.8rc0","v1.12.9","v1.12.9rc0","wireshark-1.11.3","wireshark-1.12.0","wireshark-1.12.1","wireshark-1.12.10","wireshark-1.12.11","wireshark-1.12.2","wireshark-1.12.3","wireshark-1.12.4","wireshark-1.12.5","wireshark-1.12.6","wireshark-1.12.7","wireshark-1.12.8","wireshark-1.12.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-5359.json","vanir_signatures_modified":"2026-04-11T04:02:15Z","vanir_signatures":[{"source":"https://github.com/wireshark/wireshark/commit/b8e0d416898bb975a02c1b55883342edc5b4c9c0","digest":{"length":5422,"function_hash":"148500127934408009697092230251578610084"},"deprecated":false,"target":{"file":"epan/dissectors/packet-wbxml.c","function":"parse_wbxml_attribute_list_defined"},"signature_version":"v1","id":"CVE-2016-5359-31125c20","signature_type":"Function"},{"source":"https://github.com/wireshark/wireshark/commit/b8e0d416898bb975a02c1b55883342edc5b4c9c0","signature_type":"Function","deprecated":false,"digest":{"length":9440,"function_hash":"163944597436354463178870928724087187552"},"signature_version":"v1","id":"CVE-2016-5359-4563910b","target":{"file":"epan/dissectors/packet-wbxml.c","function":"parse_wbxml_tag_defined"}},{"source":"https://github.com/wireshark/wireshark/commit/b8e0d416898bb975a02c1b55883342edc5b4c9c0","signature_type":"Line","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["67610622701970184290553588580183889084","91325355928160085932440203182364159450","120720890600383259180895777098256288181","114910516480691935899078898207847627433","165008569202645622300382822615495196403","280988204502699191843930655572756473488","66475716529971636501610138979105542789","35398807192904916275203729800690187297","153960594443750609499689575013439143648","261890174015245498500883166218909921908","324261148394130691302777141913996756101","90488073146076214700603127876341026031","308756478074685172930017545175108057558","91325355928160085932440203182364159450","120720890600383259180895777098256288181","114910516480691935899078898207847627433","35416387769534039057238932264827112118","320126448307663699326746988189196620004","234977784954851322905887342735437873515","119232718222261333802185607524997486061","153960594443750609499689575013439143648","261890174015245498500883166218909921908","178482820545290865534138615772894783663","246104676115242477137918595698077946980","67610622701970184290553588580183889084","91325355928160085932440203182364159450","120720890600383259180895777098256288181","114910516480691935899078898207847627433","115155009236890171133872081544887437654","271391782470751431774662124775527043402","75339411829285533422903877661384994320","205143464398937600503789611453335812796","291280183616629744421098469514181876075","273739085990933085164187671996451828353","305150414078321585581275249061464994301","60322449002918953301779936948786160971","91325355928160085932440203182364159450","120720890600383259180895777098256288181","114910516480691935899078898207847627433","334870869368734171198288830261048231151","259489133114930017640925913381511243904","188905657936584469301308080101078066294","250985881998070324609114870669581211247","291280183616629744421098469514181876075","273739085990933085164187671996451828353","305150414078321585581275249061464994301"]},"signature_version":"v1","id":"CVE-2016-5359-9141aec3","target":{"file":"epan/dissectors/packet-wbxml.c"}},{"source":"https://github.com/wireshark/wireshark/commit/b8e0d416898bb975a02c1b55883342edc5b4c9c0","signature_type":"Function","deprecated":false,"digest":{"length":8967,"function_hash":"159171920405067032407074568214499969604"},"signature_version":"v1","id":"CVE-2016-5359-a81ea8fa","target":{"file":"epan/dissectors/packet-wbxml.c","function":"parse_wbxml_tag"}},{"source":"https://github.com/wireshark/wireshark/commit/b8e0d416898bb975a02c1b55883342edc5b4c9c0","digest":{"length":4678,"function_hash":"47902761673621423256170958096113712080"},"deprecated":false,"target":{"file":"epan/dissectors/packet-wbxml.c","function":"parse_wbxml_attribute_list"},"signature_version":"v1","id":"CVE-2016-5359-c56d40e4","signature_type":"Function"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}