{"id":"CVE-2016-9436","details":"parsetagx.c in w3m before 0.5.3+git20161009 does not properly initialize values, which allows remote attackers to crash the application via a crafted html file, related to a \u003ci\u003e tag.","modified":"2026-04-16T06:15:37.802514185Z","published":"2017-01-20T15:59:00.677Z","related":["SUSE-SU-2016:3046-1","SUSE-SU-2016:3053-1","openSUSE-SU-2024:10235-1"],"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2016-12/msg00084.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/94407"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201701-08"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2016/11/18/3"},{"type":"FIX","url":"https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd"},{"type":"FIX","url":"https://github.com/tats/w3m/issues/16"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tats/w3m","events":[{"introduced":"0"},{"last_affected":"55ca98c554c12a861a3ed8c237fb22516fccb337"},{"fixed":"33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.5.3\\+git20160718"}]}}],"versions":["upstream/0.1.10+0.1.11pre+kokb23","upstream/0.3","upstream/0.5.1","upstream/0.5.2","upstream/0.5.3","v0.5.3+debian-19","v0.5.3+git20150203","v0.5.3+git20150509","v0.5.3+git20150623","v0.5.3+git20150720","v0.5.3+git20150811","v0.5.3+git20151010","v0.5.3+git20151119","v0.5.3+git20160228","v0.5.3+git20160511","v0.5.3+git20160718"],"database_specific":{"vanir_signatures":[{"id":"CVE-2016-9436-2fda5057","target":{"file":"file.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["311004745453435617756753801353359150057","143134225384708127344576683335910472673","186384755597943013168483540501107179659","112398006071132182438373256047756762888"]},"deprecated":false,"signature_version":"v1","source":"https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd"},{"id":"CVE-2016-9436-79107265","target":{"file":"parsetagx.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["104395104491150999346745860766298117160","22387227991403213856454022304549452974","309193199931375910465849400156799792841"]},"deprecated":false,"signature_version":"v1","source":"https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd"},{"signature_type":"Function","id":"CVE-2016-9436-986b439c","target":{"file":"file.c","function":"HTMLtagproc1"},"digest":{"length":25115,"function_hash":"4987390351755194380299389707932098436"},"signature_version":"v1","deprecated":false,"source":"https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd"},{"id":"CVE-2016-9436-e6ec55a9","target":{"file":"parsetagx.c","function":"parse_tag"},"signature_type":"Function","digest":{"length":3604,"function_hash":"78877202036832609142144252743261376164"},"deprecated":false,"signature_version":"v1","source":"https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"42.2"}]},{"events":[{"introduced":"0"},{"last_affected":"42.1"}]}],"vanir_signatures_modified":"2026-04-11T05:01:07Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9436.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}