CVE-2016-7053

Name: CVE-2016-7053
Creator: NVD / NIST
Published: 2017-05-04T19:29:00.213+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 21.30%

Last modified Jun 17, 2026

CVE-2016-7053 is a vulnerability of currently unknown severity. In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. EPSS estimates a 21.30% chance of exploitation in the next 30 days.

Description

In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected.

Metrics

EPSS Probability

21.30%

97.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-476

Affected Software

Vendor	Product	Versions
Openssl	Openssl	1.1.0
Openssl	Openssl	1.1.0a
Openssl	Openssl	1.1.0b

References

http://www.securityfocus.com/bid/94244Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1037261
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03744en_us
https://www.openssl.org/news/secadv/20161110.txtVendor Advisory
http://www.securityfocus.com/bid/94244Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1037261
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03744en_us
https://www.openssl.org/news/secadv/20161110.txtVendor Advisory

Timeline

Published: May 4, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2016-7053?

How severe is CVE-2016-7053?

Severity scoring for CVE-2016-7053 is pending analysis. The EPSS model estimates a 21.30% probability of exploitation in the next 30 days.

How do I fix CVE-2016-7053?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-7053?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST