{"id":"CVE-2016-9841","details":"inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.","aliases":["PSF-2017-3"],"modified":"2026-05-13T13:20:22.123281Z","published":"2017-05-23T04:29:01.743Z","related":["CGA-qcv5-r3xg-v9fh","SUSE-SU-2016:3209-1","SUSE-SU-2017:0003-1","SUSE-SU-2017:0004-1","SUSE-SU-2017:1384-1","SUSE-SU-2017:1385-1","SUSE-SU-2017:1386-1","SUSE-SU-2017:1387-1","SUSE-SU-2017:1389-1","SUSE-SU-2017:1444-1","SUSE-SU-2017:2699-1","SUSE-SU-2017:2700-1","SUSE-SU-2017:2989-1","SUSE-SU-2017:3235-1","SUSE-SU-2017:3369-1","SUSE-SU-2017:3411-1","SUSE-SU-2017:3440-1","SUSE-SU-2017:3455-1","SUSE-SU-2018:0005-1","SUSE-SU-2018:0061-1","SUSE-SU-2018:1815-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"introduced":"9.5"}],"cpe":"cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*"},{"source":"CPE_FIELD","extracted_events":[{"introduced":"7.3"}],"cpe":"cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*"},{"source":"CPE_FIELD","extracted_events":[{"introduced":"11.0.0"},{"last_affected":"11.70.1"}],"cpe":"cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"7.1"}],"cpe":"cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vsphere:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"7.1"}],"cpe":"cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:windows:*:*"},{"source":"CPE_FIELD","extracted_events":[{"introduced":"7.2"}],"cpe":"cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:*:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"introduced":"6.0.0"},{"last_affected":"6.8.1"},{"introduced":"7.0.0"},{"fixed":"7.6.0"}],"cpe":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"introduced":"4.2.0"},{"fixed":"4.8.2"},{"introduced":"6.9.0"},{"fixed":"6.10.2"}],"cpe":"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"18c"}],"cpe":"cpe:2.3:a:oracle:database_server:18c:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"1.6.0-update161"}],"cpe":"cpe:2.3:a:oracle:jdk:1.6.0:update161:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"1.7.0-update151"}],"cpe":"cpe:2.3:a:oracle:jdk:1.7.0:update151:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"1.8.0-update144"}],"cpe":"cpe:2.3:a:oracle:jdk:1.8.0:update144:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"1.6.0-update161"}],"cpe":"cpe:2.3:a:oracle:jre:1.6.0:update161:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"1.7.0-update151"}],"cpe":"cpe:2.3:a:oracle:jre:1.7.0:update151:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"1.8.0-update144"}],"cpe":"cpe:2.3:a:oracle:jre:1.8.0:update144:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"5.8"}],"cpe":"cpe:2.3:a:redhat:satellite:5.8:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"fixed":"11"}],"cpe":"cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"introduced":"10.0.0"},{"fixed":"10.13.0"}],"cpe":"cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"fixed":"11.0"}],"cpe":"cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"fixed":"4"}],"cpe":"cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"16.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"18.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"42.1"}],"cpe":"cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"42.2"}],"cpe":"cpe:2.3:o:opensuse:leap:42.2:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"13.2"}],"cpe":"cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"6.0"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"7.0"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"7.4"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"6.0"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"7.0"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"6.0"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"7.0"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*"}]},"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2016/12/05/21"},{"type":"WEB","url":"http://www.securityfocus.com/bid/95131"},{"type":"WEB","url":"http://www.securitytracker.com/id/1039427"},{"type":"WEB","url":"http://www.securitytracker.com/id/1039596"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html"},{"type":"WEB","url":"https://support.apple.com/HT208112"},{"type":"WEB","url":"https://support.apple.com/HT208113"},{"type":"WEB","url":"https://support.apple.com/HT208115"},{"type":"WEB","url":"https://support.apple.com/HT208144"},{"type":"WEB","url":"https://usn.ubuntu.com/4246-1/"},{"type":"WEB","url":"https://usn.ubuntu.com/4292-1/"},{"type":"WEB","url":"https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib"},{"type":"WEB","url":"https://wiki.mozilla.org/images/0/09/Zlib-report.pdf"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:1220"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:1221"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:1222"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:2999"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3046"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3047"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3453"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201701-56"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202007-54"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20171019-0001/"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1402346"},{"type":"FIX","url":"https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/madler/zlib","events":[{"introduced":"7c2a874e50b871d04fbd19501f7b42cff55e5abc"},{"fixed":"2fa463bacfff79181df1a5270fb67cc679a53e71"},{"fixed":"9aaec95e82117c1cb0f9624264c3618fc380cecb"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"1.2.0"},{"fixed":"1.2.9"}],"cpe":"cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*"}}],"versions":["v1.2.0","v1.2.0.1","v1.2.0.2","v1.2.0.3","v1.2.0.4","v1.2.0.5","v1.2.0.6","v1.2.0.7","v1.2.0.8","v1.2.1","v1.2.1.1","v1.2.1.2","v1.2.2","v1.2.2.1","v1.2.2.2","v1.2.2.3","v1.2.2.4","v1.2.3","v1.2.3.1","v1.2.3.2","v1.2.3.3","v1.2.3.4","v1.2.3.5","v1.2.3.6","v1.2.3.7","v1.2.3.8","v1.2.3.9","v1.2.4","v1.2.4-pre1","v1.2.4-pre2","v1.2.4.1","v1.2.4.2","v1.2.4.3","v1.2.4.4","v1.2.4.5","v1.2.5","v1.2.5.1","v1.2.5.2","v1.2.5.3","v1.2.6","v1.2.6.1","v1.2.7","v1.2.7.1","v1.2.7.2","v1.2.7.3","v1.2.8"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-9841.json","vanir_signatures_modified":"2026-05-13T13:20:22Z","vanir_signatures":[{"source":"https://github.com/madler/zlib/commit/2fa463bacfff79181df1a5270fb67cc679a53e71","deprecated":false,"target":{"file":"contrib/infback9/inftree9.c"},"signature_type":"Line","signature_version":"v1","id":"CVE-2016-9841-414fe37a","digest":{"threshold":0.9,"line_hashes":["16120810892851687554789220157819832702","131827276427891043182256510196340875300","189513208101419307945534658579998871654","212147175082612510136412243030409560140","299085759267730258754641938507926344080","138959356155413799645705262600700520329","29752084737358720135606731688432604107","166620327939650871483308933286046278470"]}},{"source":"https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb","deprecated":false,"target":{"file":"inffast.c"},"signature_type":"Line","signature_version":"v1","id":"CVE-2016-9841-67c1d2cf","digest":{"threshold":0.9,"line_hashes":["78072732683752644015387925034994222207","152217204562056169832124309407939299073","215225918295936704424918487133039937568","105916848088157406623367830967252372900","160347344788684159828158463979696903015","43373212368396179797268006176184707519","184603405977538261864751504079256823382","300158625332067890321432625334982300477","231456712669769731133653513946756254403","76619535432227392067544577638805564880","86478956061661644697224805573734588602","309264260464250844037425145840657077392","42929194529115052760348046443875986836","69092477746976203796181914166585536326","330500421171059488258816703603104184117","39109048859430692111328065213586549476","141918057837261653864758598178289124013","220076265684161871297861930656071873654","232314986378571625308419906069611283002","271261762835987539750125557095311680186","87109922922403481839749730139942871992","123495222477592797725822233535854539932","176140314733410984217923827334674272305","220153160189091466688700385333929749459","338928063149012365420777119484299731809","291002661199329319366599886303090915736","136749551968338550545808172330052836179","312124000686700852887733291669935553370","60415438212528782552969295181943670311","156128004555781001681532607068313777365","95121502532506852848735358562075473053","128214092140692356294035430869947201312","225960269161724208534821870935736004185","132416564511346590982791537042534820632","333045549506452708645355462802558117647","232314986378571625308419906069611283002","271261762835987539750125557095311680186","87109922922403481839749730139942871992","217247340695284845200408995274744903482","274777786069307210412928712498359338970","304397135614779444569141991583228961447","120430037352594325396773076799784644981","199880817059807794915071985179638614896","137949426801562265268064716684471143124","128214092140692356294035430869947201312","216890108406696089672723699978988015568","325344631564606056501479243613347222251","253934916918483800687220905448916387707","324117531668709484021643110752832760201","269848445246898799838539123745173915525","237558994423137954737767269069474710707","334061756316789733532185870324434516532","161803794516738361969090099175277537039","280595309763251253214168943144476014651","2158493544439301373911245954394611157","306339348680549637083011766076218194468","74463155369157102119310394397879202449","237224848044011259924686497689767912971","167095680762181146134547195001451837632","128547645879596891169285315880325464325","317619100846420598911816750531356741758","307640751256381187047569816370424218950","268811912412110267696912500072565844297","73504501321574436146180087853349147562","278297180902125556931793117875411137737","69472112817935067921514582800476370211","114628231497259286507976161332925760276","269182909587005509966059087799845181470","137069313049285435149612788683553497597","13237349173393881884674916736449391574","311229632863293049854145443456278875842","200659021717860052381924849217492440740","236208000950321848468091993292835290741","13237349173393881884674916736449391574","311229632863293049854145443456278875842","316217250228203442530821723093471190301","2544357164870417304895274205782808302","327428738380851875072086640196860844719","38615536945376955112304150955126290690","330323815705367750289174355923513978008","255961283142030936276399941491628317648","311229632863293049854145443456278875842","200659021717860052381924849217492440740","236208000950321848468091993292835290741","13237349173393881884674916736449391574","311229632863293049854145443456278875842","200659021717860052381924849217492440740","236208000950321848468091993292835290741","215270906290005783622426038741650274918","206218689166382866616993724409908720033","267736281923668211909025488814612772203","316402213967916457323416304942297066521","42733897016680122202611280292237541530","47312894792537028295421068653932174889","127719182014782471663968575388626875007","276701571312641104074028786671089426922","223277832707020671107633993992068520850","196889730232970301984699769191684713315","114592134611855788707876554101010302842","333607819032366246440607644387681849345","122288431553698812874327513897280558320","124901143056360359423607317645622031993","172510615937141601851724735425487358199","259495703048052745955879027085558613000","67490943479371108797309281824855679892","19827572648871648518340550292068846984","88501319238230112893621207998237820962","47312894792537028295421068653932174889","209117466490795013100449185623148946921","70352130885428897057911716129260226260","64450438259691921455849036414727510360","138444396159167569224176422330227223751","114592134611855788707876554101010302842","333607819032366246440607644387681849345","122288431553698812874327513897280558320","80829327876727030736841137660224091128","330744135247363802013669152669988602556","294258265210916458753940417463134944243","121403476583364000526180708597213122598","250856604606482844765354843044255597698","228608713377455253737580986856305145706"]}},{"source":"https://github.com/madler/zlib/commit/2fa463bacfff79181df1a5270fb67cc679a53e71","deprecated":false,"target":{"file":"inftrees.c"},"signature_type":"Line","signature_version":"v1","id":"CVE-2016-9841-7d837108","digest":{"threshold":0.9,"line_hashes":["33289512042373412906093149139436580830","91426820839317131268716791780186008144","194818944693421866592958753112657371532","159668138545083466055711927804961193023","255066741664144691720111386013603848817","234232056215069776200927132383547217084","295366361648995060731826038642910043574","194364176202057146808626712171096427014"]}},{"source":"https://github.com/madler/zlib/commit/2fa463bacfff79181df1a5270fb67cc679a53e71","deprecated":false,"target":{"file":"zconf.h"},"signature_type":"Line","signature_version":"v1","id":"CVE-2016-9841-877aa23a","digest":{"threshold":0.9,"line_hashes":["173123370633123651154244949134281019542","102273106005205754638040113472517884264","235429814244466703824677965529538273675","208303993750882978934021550073336842459","97615609550968706431926448181519994863","339118080829838946074693924107468946553","80218173194119430334455345176075092856","221115080022463896686917755184628890434","220779142876063203106760351651649795828","79972837918061490055760410628729165483","29640572416293066614062894907893542972","320836455951002542724053434768351830366","278439570502606989562359642144711240921","74969605840670941905966442808748242415","136349982313411503433050181948921111059","84828482625013498067679033752823325859","218156909012989000717970859258362570251","156120690550699675574548547437792604157","174169894385923384555886757688589868129","113887265610536653913694580851125688715","322944331613534704823013669100696288875","25052244974639821325585794070234606822","38325901798038084643343130133098808807","158002972493212489475769473812998149461","292758423975469462340735089873782351214","197319885884091558389402997168622303229","273529858872929722013164257392580258347","2188558013403878625577241987667171928","227718873515223558132286010362181398299","337146253929636158546926301773569599342","276954032770302743552966193594550874576","326215511158024088703961555581128655326","243619819439693214143230160079414937501","232483367442315974246589415647223061426","260395415480728946097742438941645713965","292290712618831869667048484348647386677","191647618147979755276168823006196468103","219013074033810971796049774630081821884","205564429641538400226903564968255480612","294498949750680192840586029840089044143","183398131489758762038008857864289906980","69378252258223222776676769656103498778","150063933148831471523654235222726000523","160919057829188140111342717977171904200","113985210579133651988131412870508958926","236797731968003545657916862894293146441"]}},{"source":"https://github.com/madler/zlib/commit/2fa463bacfff79181df1a5270fb67cc679a53e71","deprecated":false,"target":{"file":"deflate.c"},"signature_type":"Line","signature_version":"v1","id":"CVE-2016-9841-ebd0da57","digest":{"threshold":0.9,"line_hashes":["241551680136109100503375360648810826978","68187369923040033918172656615963607133","297761764425146664349507739115654243055"]}}]}},{"ranges":[{"type":"GIT","repo":"https://github.com/mysql/mysql-server","events":[{"introduced":"0"},{"last_affected":"270fd3411e3d671a73ed9725940a30080f59ce6d"},{"last_affected":"06bc670db0c0e45b3ea11409382a5c315961f682"},{"last_affected":"913071c0b16cc03e703308250d795bc381627e37"},{"last_affected":"ae41ce7c4ecff5e1e336ab768867370b8c94e02d"},{"last_affected":"c942a7ecd2a6b10af9177d7201aeabe9e0af8388"},{"introduced":"54df0057e18d8c82c23fbd4e0bf5b5dc2e762955"},{"last_affected":"e48d775c6f066add457fa8cfb2ebc4d5ff0c7613"},{"introduced":"270fd3411e3d671a73ed9725940a30080f59ce6d"},{"last_affected":"b93c1661d689c8b7decc7563ba15f6ed140a4eb6"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"8.0"},{"introduced":"5.6.0"},{"last_affected":"5.6.41"},{"introduced":"5.7.0"},{"last_affected":"5.7.23"},{"last_affected":"7.5"},{"introduced":"4.0.0"},{"last_affected":"4.1.2"},{"introduced":"5.5.0"},{"last_affected":"5.5.61"},{"introduced":"8.0.0"},{"last_affected":"8.0.12"}],"cpe":["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*","cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*"]}}],"versions":["mysql-3.23.22-beta","mysql-3.23.28-gamma","mysql-3.23.30-gamma","mysql-3.23.31","mysql-3.23.32","mysql-3.23.33","mysql-3.23.36","mysql-4.0.2","mysql-4.0.4","mysql-4.1.1","mysql-4.1.2","mysql-5.1.4","mysql-5.5.15","mysql-5.5.19","mysql-5.5.23","mysql-5.5.25","mysql-5.5.27","mysql-5.5.44","mysql-5.5.47","mysql-5.5.49","mysql-5.5.59","mysql-5.5.60","mysql-5.5.61","mysql-5.6.40","mysql-5.6.41","mysql-5.7.23","mysql-8.0.0","mysql-8.0.12","mysql-cluster-7.5.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-9841.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}