{"id":"CVE-2016-9435","details":"The HTMLtagproc1 function in file.c in w3m before 0.5.3+git20161009 does not properly initialize values, which allows remote attackers to crash the application via a crafted html file, related to \u003cdd\u003e tags.","modified":"2026-04-16T06:17:31.186443016Z","published":"2017-01-20T15:59:00.613Z","related":["SUSE-SU-2016:3046-1","SUSE-SU-2016:3053-1","openSUSE-SU-2024:10235-1"],"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2016-12/msg00084.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/94407"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201701-08"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2016/11/18/3"},{"type":"FIX","url":"https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd"},{"type":"FIX","url":"https://github.com/tats/w3m/issues/16"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tats/w3m","events":[{"introduced":"0"},{"last_affected":"55ca98c554c12a861a3ed8c237fb22516fccb337"},{"fixed":"33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.5.3\\+git20160718"}]}}],"versions":["upstream/0.1.10+0.1.11pre+kokb23","upstream/0.3","upstream/0.5.1","upstream/0.5.2","upstream/0.5.3","v0.5.3+debian-19","v0.5.3+git20150203","v0.5.3+git20150509","v0.5.3+git20150623","v0.5.3+git20150720","v0.5.3+git20150811","v0.5.3+git20151010","v0.5.3+git20151119","v0.5.3+git20160228","v0.5.3+git20160511","v0.5.3+git20160718"],"database_specific":{"vanir_signatures_modified":"2026-04-11T05:01:06Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"42.2"}]},{"events":[{"introduced":"0"},{"last_affected":"42.1"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9435.json","vanir_signatures":[{"signature_version":"v1","deprecated":false,"id":"CVE-2016-9435-2fda5057","target":{"file":"file.c"},"signature_type":"Line","source":"https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd","digest":{"line_hashes":["311004745453435617756753801353359150057","143134225384708127344576683335910472673","186384755597943013168483540501107179659","112398006071132182438373256047756762888"],"threshold":0.9}},{"signature_version":"v1","deprecated":false,"target":{"file":"parsetagx.c"},"id":"CVE-2016-9435-79107265","signature_type":"Line","source":"https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd","digest":{"line_hashes":["104395104491150999346745860766298117160","22387227991403213856454022304549452974","309193199931375910465849400156799792841"],"threshold":0.9}},{"signature_version":"v1","deprecated":false,"id":"CVE-2016-9435-986b439c","target":{"file":"file.c","function":"HTMLtagproc1"},"signature_type":"Function","source":"https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd","digest":{"function_hash":"4987390351755194380299389707932098436","length":25115}},{"signature_version":"v1","deprecated":false,"id":"CVE-2016-9435-e6ec55a9","target":{"file":"parsetagx.c","function":"parse_tag"},"signature_type":"Function","source":"https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd","digest":{"function_hash":"78877202036832609142144252743261376164","length":3604}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}