{"id":"CVE-2016-9841","details":"inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.","aliases":["PSF-2017-3"],"modified":"2026-04-16T04:33:49.116692415Z","published":"2017-05-23T04:29:01.743Z","related":["CGA-qcv5-r3xg-v9fh","SUSE-SU-2016:3209-1","SUSE-SU-2017:0003-1","SUSE-SU-2017:0004-1","SUSE-SU-2017:1384-1","SUSE-SU-2017:1385-1","SUSE-SU-2017:1386-1","SUSE-SU-2017:1387-1","SUSE-SU-2017:1389-1","SUSE-SU-2017:1444-1","SUSE-SU-2017:2699-1","SUSE-SU-2017:2700-1","SUSE-SU-2017:2989-1","SUSE-SU-2017:3235-1","SUSE-SU-2017:3369-1","SUSE-SU-2017:3411-1","SUSE-SU-2017:3440-1","SUSE-SU-2017:3455-1","SUSE-SU-2018:0005-1","SUSE-SU-2018:0061-1","SUSE-SU-2018:1815-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html"},{"type":"WEB","url":"https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib"},{"type":"WEB","url":"https://wiki.mozilla.org/images/0/09/Zlib-report.pdf"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html"},{"type":"WEB","url":"https://support.apple.com/HT208113"},{"type":"WEB","url":"https://usn.ubuntu.com/4246-1/"},{"type":"WEB","url":"https://usn.ubuntu.com/4292-1/"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2016/12/05/21"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"type":"WEB","url":"https://support.apple.com/HT208115"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html"},{"type":"WEB","url":"https://support.apple.com/HT208144"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html"},{"type":"WEB","url":"http://www.securityfocus.com/bid/95131"},{"type":"WEB","url":"http://www.securitytracker.com/id/1039596"},{"type":"WEB","url":"https://support.apple.com/HT208112"},{"type":"WEB","url":"http://www.securitytracker.com/id/1039427"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3047"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20171019-0001/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:1220"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3046"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:1221"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:1222"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202007-54"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3453"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201701-56"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:2999"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1402346"},{"type":"FIX","url":"https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/madler/zlib","events":[{"introduced":"7c2a874e50b871d04fbd19501f7b42cff55e5abc"},{"fixed":"2fa463bacfff79181df1a5270fb67cc679a53e71"},{"fixed":"9aaec95e82117c1cb0f9624264c3618fc380cecb"}],"database_specific":{"versions":[{"introduced":"1.2.0"},{"fixed":"1.2.9"}]}},{"type":"GIT","repo":"https://github.com/mysql/mysql-server","events":[{"introduced":"54df0057e18d8c82c23fbd4e0bf5b5dc2e762955"},{"last_affected":"e48d775c6f066add457fa8cfb2ebc4d5ff0c7613"},{"introduced":"0"},{"last_affected":"06bc670db0c0e45b3ea11409382a5c315961f682"},{"introduced":"0"},{"last_affected":"913071c0b16cc03e703308250d795bc381627e37"},{"introduced":"270fd3411e3d671a73ed9725940a30080f59ce6d"},{"last_affected":"b93c1661d689c8b7decc7563ba15f6ed140a4eb6"}],"database_specific":{"versions":[{"introduced":"5.5.0"},{"last_affected":"5.5.61"},{"introduced":"5.6.0"},{"last_affected":"5.6.41"},{"introduced":"5.7.0"},{"last_affected":"5.7.23"},{"introduced":"8.0.0"},{"last_affected":"8.0.12"}]}},{"type":"GIT","repo":"https://github.com/nodejs/node","events":[{"introduced":"0"},{"last_affected":"8eda60c8234177a7d41aac0828fab30c08970cd8"},{"introduced":"0"},{"last_affected":"0d8021e5a4cf0a6aa3a700a361f6d42c2894f2ba"},{"introduced":"0"},{"last_affected":"fc13773aab9ca573ddd24ccaf91aeb3070837cbc"},{"introduced":"0"},{"last_affected":"ce3e3c5fe15479475c068482c48eb9cbf1ac9df5"},{"introduced":"0"},{"last_affected":"362fe010fe8f6feb0030e1e02c689b501e11ddb7"},{"introduced":"0"},{"last_affected":"4760abcdd95070e06257b5408c2f72dcc787cfa9"},{"introduced":"0"},{"last_affected":"a34f1d644905b1989bebfb8658220b2a692a1589"},{"introduced":"0"},{"last_affected":"ce3e3c5fe15479475c068482c48eb9cbf1ac9df5"},{"introduced":"0"},{"last_affected":"362fe010fe8f6feb0030e1e02c689b501e11ddb7"},{"introduced":"0"},{"last_affected":"ce3e3c5fe15479475c068482c48eb9cbf1ac9df5"},{"introduced":"0"},{"last_affected":"362fe010fe8f6feb0030e1e02c689b501e11ddb7"},{"introduced":"cf41627411886000429bde058a6594fb7f6d6d47"},{"fixed":"ab4af087e83d91a46354d765306d3543b1d85423"},{"introduced":"0"},{"fixed":"cea049bcf8bb0f9a6e0095dbd5dffdb14dc8f71b"},{"introduced":"0"},{"last_affected":"0a3a967d54cd7e3ea509914cbf14e0fea04dd586"},{"introduced":"0"},{"last_affected":"0a3a967d54cd7e3ea509914cbf14e0fea04dd586"},{"introduced":"f9f837885343a2a3f5ba2b8c510eaac395c8c865"},{"last_affected":"85df6ada477715020dbd22e2fb5e687d84d663ff"},{"introduced":"6dc12b1042d5d4727f77e8a1c5758dab91400069"},{"fixed":"ea2ceac846abb279fd4d141bfe32fc4f7a6e30e0"},{"introduced":"ce3e3c5fe15479475c068482c48eb9cbf1ac9df5"},{"last_affected":"c6a397bce63fc026421e1515b98eec9b8b5a8468"},{"introduced":"6b1c40be84fbe5ea404f25e4e340a0c1fe67a60a"},{"fixed":"fbc9fded2fb4caa104e55146e6fa4fc2c3d11daf"},{"introduced":"362fe010fe8f6feb0030e1e02c689b501e11ddb7"},{"fixed":"bebda6df68c71f233a2ee212b2569ae6e70b48a9"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"13.2"},{"introduced":"0"},{"last_affected":"8.0"},{"introduced":"0"},{"last_affected":"5.8"},{"introduced":"0"},{"last_affected":"6.0"},{"introduced":"0"},{"last_affected":"7.0"},{"introduced":"0"},{"last_affected":"7.4"},{"introduced":"0"},{"last_affected":"7.5"},{"introduced":"0"},{"last_affected":"6.0"},{"introduced":"0"},{"last_affected":"7.0"},{"introduced":"0"},{"last_affected":"6.0"},{"introduced":"0"},{"last_affected":"7.0"},{"introduced":"10.0.0"},{"fixed":"10.13.0"},{"introduced":"0"},{"fixed":"11.0"},{"introduced":"0"},{"last_affected":"7.1"},{"introduced":"0"},{"last_affected":"7.1"},{"introduced":"4.0.0"},{"last_affected":"4.1.2"},{"introduced":"4.2.0"},{"fixed":"4.8.2"},{"introduced":"6.0.0"},{"last_affected":"6.8.1"},{"introduced":"6.9.0"},{"fixed":"6.10.2"},{"introduced":"7.0.0"},{"fixed":"7.6.0"}]}}],"versions":["mysql-3.23.22-beta","mysql-3.23.28-gamma","mysql-3.23.30-gamma","mysql-3.23.31","mysql-3.23.32","mysql-3.23.33","mysql-3.23.36","mysql-4.0.2","mysql-4.0.4","mysql-5.1.4","mysql-5.5.15","mysql-5.5.19","mysql-5.5.23","mysql-5.5.25","mysql-5.5.27","mysql-5.5.44","mysql-5.5.47","mysql-5.5.49","mysql-5.5.59","mysql-5.5.60","mysql-5.5.61","mysql-5.6.40","mysql-5.6.41","mysql-5.7.23","mysql-8.0.12","v0.0.1","v0.0.2","v0.0.3","v0.0.4","v0.0.6","v0.1.0","v0.1.1","v0.1.10","v0.1.100","v0.1.101","v0.1.102","v0.1.103","v0.1.104","v0.1.11","v0.1.12","v0.1.13","v0.1.14","v0.1.15","v0.1.16","v0.1.17","v0.1.18","v0.1.19","v0.1.2","v0.1.20","v0.1.21","v0.1.22","v0.1.23","v0.1.24","v0.1.25","v0.1.26","v0.1.27","v0.1.28","v0.1.29","v0.1.3","v0.1.30","v0.1.31","v0.1.32","v0.1.33","v0.1.4","v0.1.5","v0.1.6","v0.1.7","v0.1.8","v0.1.9","v0.1.92","v0.1.93","v0.1.94","v0.1.95","v0.1.96","v0.1.97","v0.1.98","v0.1.99","v0.2.0","v0.3.0","v0.3.1","v0.3.2","v0.3.4","v0.3.5","v0.3.6","v0.3.7","v0.3.8","v0.4.0","v0.5.0","v0.5.1","v0.5.10","v0.5.2","v0.5.3","v0.5.4","v0.5.5","v0.5.5-rc1","v0.5.6","v0.5.7","v0.5.8","v0.5.9","v0.6.0","v0.6.1","v0.7.0","v0.7.2","v0.7.3","v1.0.1","v1.0.1-release","v1.0.2","v1.0.2-release","v1.0.3","v1.0.4","v1.1.0","v1.2.0","v1.2.0.1","v1.2.0.2","v1.2.0.3","v1.2.0.4","v1.2.0.5","v1.2.0.6","v1.2.0.7","v1.2.0.8","v1.2.1","v1.2.1.1","v1.2.1.2","v1.2.2","v1.2.2.1","v1.2.2.2","v1.2.2.3","v1.2.2.4","v1.2.3","v1.2.3.1","v1.2.3.2","v1.2.3.3","v1.2.3.4","v1.2.3.5","v1.2.3.6","v1.2.3.7","v1.2.3.8","v1.2.3.9","v1.2.4","v1.2.4-pre1","v1.2.4-pre2","v1.2.4.1","v1.2.4.2","v1.2.4.3","v1.2.4.4","v1.2.4.5","v1.2.5","v1.2.5.1","v1.2.5.2","v1.2.5.3","v1.2.6","v1.2.6.1","v1.2.7","v1.2.7.1","v1.2.7.2","v1.2.7.3","v1.2.8","v1.3.0","v1.4.1","v1.4.2","v1.4.3","v1.5.0","v1.5.1","v1.6.0","v1.6.1","v1.6.2","v1.6.3","v1.6.4","v1.7.0","v1.7.1","v10.0.0","v10.1.0","v10.10.0","v10.11.0","v10.12.0","v10.2.0","v10.2.1","v10.3.0","v10.4.0","v10.4.1","v10.5.0","v10.6.0","v10.7.0","v10.8.0","v10.9.0","v13.0.0","v13.0.1","v13.1.0","v13.2.0","v2.0.0","v2.0.1","v2.0.2","v2.1.0","v2.2.0","v2.2.1","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.3.4","v2.4.0","v2.5.0","v3.0.0","v4.0.0","v4.1.0","v4.1.1","v4.1.2","v4.2.0","v4.2.1","v4.2.2","v4.2.3","v4.2.4","v4.2.5","v4.2.6","v4.3.0","v4.3.1","v4.3.2","v4.4.0","v4.4.1","v4.4.2","v4.4.3","v4.4.4","v4.4.5","v4.4.6","v4.4.7","v4.5.0","v4.6.0","v4.6.1","v4.6.2","v4.7.0","v4.7.1","v4.7.2","v4.7.3","v4.8.0","v4.8.1","v5.0.0","v5.1.0","v5.1.1","v5.2.0","v5.3.0","v5.4.0","v5.4.1","v5.5.0","v5.6.0","v5.7.0","v5.7.1","v5.8.0","v6.0.0","v6.1.0","v6.10.0","v6.10.1","v6.2.0","v6.2.1","v6.2.2","v6.3.0","v6.3.1","v6.4.0","v6.5.0","v6.6.0","v6.7.0","v6.8.0","v6.8.1","v6.9.0","v6.9.1","v6.9.2","v6.9.3","v6.9.4","v6.9.5","v7.0.0","v7.1.0","v7.2.0","v7.2.1","v7.3.0","v7.4.0","v7.5.0","v8.0.0"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/madler/zlib/commit/2fa463bacfff79181df1a5270fb67cc679a53e71","signature_type":"Line","target":{"file":"contrib/infback9/inftree9.c"},"signature_version":"v1","id":"CVE-2016-9841-414fe37a","digest":{"line_hashes":["16120810892851687554789220157819832702","131827276427891043182256510196340875300","189513208101419307945534658579998871654","212147175082612510136412243030409560140","299085759267730258754641938507926344080","138959356155413799645705262600700520329","29752084737358720135606731688432604107","166620327939650871483308933286046278470"],"threshold":0.9},"deprecated":false},{"signature_type":"Line","source":"https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb","target":{"file":"inffast.c"},"digest":{"line_hashes":["78072732683752644015387925034994222207","152217204562056169832124309407939299073","215225918295936704424918487133039937568","105916848088157406623367830967252372900","160347344788684159828158463979696903015","43373212368396179797268006176184707519","184603405977538261864751504079256823382","300158625332067890321432625334982300477","231456712669769731133653513946756254403","76619535432227392067544577638805564880","86478956061661644697224805573734588602","309264260464250844037425145840657077392","42929194529115052760348046443875986836","69092477746976203796181914166585536326","330500421171059488258816703603104184117","39109048859430692111328065213586549476","141918057837261653864758598178289124013","220076265684161871297861930656071873654","232314986378571625308419906069611283002","271261762835987539750125557095311680186","87109922922403481839749730139942871992","123495222477592797725822233535854539932","176140314733410984217923827334674272305","220153160189091466688700385333929749459","338928063149012365420777119484299731809","291002661199329319366599886303090915736","136749551968338550545808172330052836179","312124000686700852887733291669935553370","60415438212528782552969295181943670311","156128004555781001681532607068313777365","95121502532506852848735358562075473053","128214092140692356294035430869947201312","225960269161724208534821870935736004185","132416564511346590982791537042534820632","333045549506452708645355462802558117647","232314986378571625308419906069611283002","271261762835987539750125557095311680186","87109922922403481839749730139942871992","217247340695284845200408995274744903482","274777786069307210412928712498359338970","304397135614779444569141991583228961447","120430037352594325396773076799784644981","199880817059807794915071985179638614896","137949426801562265268064716684471143124","128214092140692356294035430869947201312","216890108406696089672723699978988015568","325344631564606056501479243613347222251","253934916918483800687220905448916387707","324117531668709484021643110752832760201","269848445246898799838539123745173915525","237558994423137954737767269069474710707","334061756316789733532185870324434516532","161803794516738361969090099175277537039","280595309763251253214168943144476014651","2158493544439301373911245954394611157","306339348680549637083011766076218194468","74463155369157102119310394397879202449","237224848044011259924686497689767912971","167095680762181146134547195001451837632","128547645879596891169285315880325464325","317619100846420598911816750531356741758","307640751256381187047569816370424218950","268811912412110267696912500072565844297","73504501321574436146180087853349147562","278297180902125556931793117875411137737","69472112817935067921514582800476370211","114628231497259286507976161332925760276","269182909587005509966059087799845181470","137069313049285435149612788683553497597","13237349173393881884674916736449391574","311229632863293049854145443456278875842","200659021717860052381924849217492440740","236208000950321848468091993292835290741","13237349173393881884674916736449391574","311229632863293049854145443456278875842","316217250228203442530821723093471190301","2544357164870417304895274205782808302","327428738380851875072086640196860844719","38615536945376955112304150955126290690","330323815705367750289174355923513978008","255961283142030936276399941491628317648","311229632863293049854145443456278875842","200659021717860052381924849217492440740","236208000950321848468091993292835290741","13237349173393881884674916736449391574","311229632863293049854145443456278875842","200659021717860052381924849217492440740","236208000950321848468091993292835290741","215270906290005783622426038741650274918","206218689166382866616993724409908720033","267736281923668211909025488814612772203","316402213967916457323416304942297066521","42733897016680122202611280292237541530","47312894792537028295421068653932174889","127719182014782471663968575388626875007","276701571312641104074028786671089426922","223277832707020671107633993992068520850","196889730232970301984699769191684713315","114592134611855788707876554101010302842","333607819032366246440607644387681849345","122288431553698812874327513897280558320","124901143056360359423607317645622031993","172510615937141601851724735425487358199","259495703048052745955879027085558613000","67490943479371108797309281824855679892","19827572648871648518340550292068846984","88501319238230112893621207998237820962","47312894792537028295421068653932174889","209117466490795013100449185623148946921","70352130885428897057911716129260226260","64450438259691921455849036414727510360","138444396159167569224176422330227223751","114592134611855788707876554101010302842","333607819032366246440607644387681849345","122288431553698812874327513897280558320","80829327876727030736841137660224091128","330744135247363802013669152669988602556","294258265210916458753940417463134944243","121403476583364000526180708597213122598","250856604606482844765354843044255597698","228608713377455253737580986856305145706"],"threshold":0.9},"id":"CVE-2016-9841-67c1d2cf","signature_version":"v1","deprecated":false},{"signature_type":"Line","source":"https://github.com/madler/zlib/commit/2fa463bacfff79181df1a5270fb67cc679a53e71","target":{"file":"inftrees.c"},"digest":{"line_hashes":["33289512042373412906093149139436580830","91426820839317131268716791780186008144","194818944693421866592958753112657371532","159668138545083466055711927804961193023","255066741664144691720111386013603848817","234232056215069776200927132383547217084","295366361648995060731826038642910043574","194364176202057146808626712171096427014"],"threshold":0.9},"id":"CVE-2016-9841-7d837108","signature_version":"v1","deprecated":false},{"source":"https://github.com/madler/zlib/commit/2fa463bacfff79181df1a5270fb67cc679a53e71","signature_type":"Line","target":{"file":"zconf.h"},"signature_version":"v1","id":"CVE-2016-9841-877aa23a","digest":{"line_hashes":["173123370633123651154244949134281019542","102273106005205754638040113472517884264","235429814244466703824677965529538273675","208303993750882978934021550073336842459","97615609550968706431926448181519994863","339118080829838946074693924107468946553","80218173194119430334455345176075092856","221115080022463896686917755184628890434","220779142876063203106760351651649795828","79972837918061490055760410628729165483","29640572416293066614062894907893542972","320836455951002542724053434768351830366","278439570502606989562359642144711240921","74969605840670941905966442808748242415","136349982313411503433050181948921111059","84828482625013498067679033752823325859","218156909012989000717970859258362570251","156120690550699675574548547437792604157","174169894385923384555886757688589868129","113887265610536653913694580851125688715","322944331613534704823013669100696288875","25052244974639821325585794070234606822","38325901798038084643343130133098808807","158002972493212489475769473812998149461","292758423975469462340735089873782351214","197319885884091558389402997168622303229","273529858872929722013164257392580258347","2188558013403878625577241987667171928","227718873515223558132286010362181398299","337146253929636158546926301773569599342","276954032770302743552966193594550874576","326215511158024088703961555581128655326","243619819439693214143230160079414937501","232483367442315974246589415647223061426","260395415480728946097742438941645713965","292290712618831869667048484348647386677","191647618147979755276168823006196468103","219013074033810971796049774630081821884","205564429641538400226903564968255480612","294498949750680192840586029840089044143","183398131489758762038008857864289906980","69378252258223222776676769656103498778","150063933148831471523654235222726000523","160919057829188140111342717977171904200","113985210579133651988131412870508958926","236797731968003545657916862894293146441"],"threshold":0.9},"deprecated":false},{"source":"https://github.com/madler/zlib/commit/2fa463bacfff79181df1a5270fb67cc679a53e71","signature_type":"Line","target":{"file":"deflate.c"},"signature_version":"v1","id":"CVE-2016-9841-ebd0da57","digest":{"line_hashes":["241551680136109100503375360648810826978","68187369923040033918172656615963607133","297761764425146664349507739115654243055"],"threshold":0.9},"deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9841.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"42.1"}]},{"events":[{"introduced":"0"},{"last_affected":"42.2"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18c"}]},{"events":[{"introduced":"0"},{"last_affected":"1.6.0-update161"}]},{"events":[{"introduced":"0"},{"last_affected":"1.7.0-update151"}]},{"events":[{"introduced":"0"},{"last_affected":"1.8.0-update144"}]},{"events":[{"introduced":"0"},{"last_affected":"1.6.0-update161"}]},{"events":[{"introduced":"0"},{"last_affected":"1.7.0-update151"}]},{"events":[{"introduced":"0"},{"last_affected":"1.8.0-update144"}]},{"events":[{"introduced":"0"},{"fixed":"11"}]},{"events":[{"introduced":"0"},{"fixed":"4"}]},{"events":[{"introduced":"7.3"}]},{"events":[{"introduced":"9.5"}]},{"events":[{"introduced":"11.0.0"},{"last_affected":"11.70.1"}]},{"events":[{"introduced":"7.2"}]}],"vanir_signatures_modified":"2026-04-11T03:57:07Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}