CVE-2016-9079
Last modified
CVE-2016-9079 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. CISA has confirmed active exploitation in the wild. EPSS estimates a 87.92% chance of exploitation in the next 30 days.
Description
A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. This vulnerability affects Firefox < 50.0.2, Firefox ESR < 45.5.1, and Thunderbird < 45.5.1.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitation Status
This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by .
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 9.0 |
| Redhat | Enterprise Linux | 5.0 |
| Redhat | Enterprise Linux | 6.0 |
| Redhat | Enterprise Linux | 7.0 |
| Redhat | Enterprise Linux Desktop | 5.0 |
| Redhat | Enterprise Linux Desktop | 6.0 |
| Redhat | Enterprise Linux Desktop | 7.0 |
| Redhat | Enterprise Linux Server | 5.0 |
| Redhat | Enterprise Linux Server | 6.0 |
| Redhat | Enterprise Linux Server | 7.0 |
| Redhat | Enterprise Linux Server Aus | 7.3 |
| Redhat | Enterprise Linux Server Aus | 7.4 |
| Redhat | Enterprise Linux Server Eus | 7.3 |
| Redhat | Enterprise Linux Server Eus | 7.4 |
| Redhat | Enterprise Linux Server Eus | 7.5 |
| Redhat | Enterprise Linux Workstation | 5.0 |
| Redhat | Enterprise Linux Workstation | 6.0 |
| Redhat | Enterprise Linux Workstation | 7.0 |
| Mozilla | Thunderbird | < 45.5.1 |
| Mozilla | Firefox | < 50.0.2 |
| Mozilla | Firefox | < 45.5.1 |
| Torproject | Tor | All versions |
References
- http://rhn.redhat.com/errata/RHSA-2016-2843.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2016-2850.htmlThird Party Advisory
- http://www.securityfocus.com/bid/94591Broken Link, Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1037370Third Party Advisory, VDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1321066Exploit, Issue Tracking, Vendor Advisory
- https://security.gentoo.org/glsa/201701-15Third Party Advisory
- https://security.gentoo.org/glsa/201701-35Third Party Advisory
- https://www.debian.org/security/2016/dsa-3730Third Party Advisory
- https://www.exploit-db.com/exploits/41151/Exploit, Third Party Advisory, VDB Entry
- https://www.exploit-db.com/exploits/42327/Exploit, Third Party Advisory, VDB Entry
- https://www.mozilla.org/security/advisories/mfsa2016-92/Vendor Advisory
- http://rhn.redhat.com/errata/RHSA-2016-2843.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2016-2850.htmlThird Party Advisory
- http://www.securityfocus.com/bid/94591Broken Link, Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1037370Third Party Advisory, VDB Entry
- https://bugzilla.mozilla.org/show_bug.cgi?id=1321066Exploit, Issue Tracking, Vendor Advisory
- https://security.gentoo.org/glsa/201701-15Third Party Advisory
- https://security.gentoo.org/glsa/201701-35Third Party Advisory
- https://www.debian.org/security/2016/dsa-3730Third Party Advisory
- https://www.exploit-db.com/exploits/41151/Exploit, Third Party Advisory, VDB Entry
- https://www.exploit-db.com/exploits/42327/Exploit, Third Party Advisory, VDB Entry
- https://www.mozilla.org/security/advisories/mfsa2016-92/Vendor Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-9079US Government Resource
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2016-9079?
How severe is CVE-2016-9079?
How do I fix CVE-2016-9079?
Are you affected by CVE-2016-9079?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST