CVE-2016-5296 - Vulnerability Details

A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Mozilla	Firefox Thunderbird
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 5
firefox-0:45.5.0-1.el5_11	cpe:/o:redhat:enterprise_linux:5	RHSA-2016:2780	2016-11-16T00:00:00Z
Red Hat Enterprise Linux 6
firefox-0:45.5.0-1.el6_8	cpe:/o:redhat:enterprise_linux:6	RHSA-2016:2780	2016-11-16T00:00:00Z
Red Hat Enterprise Linux 7
firefox-0:45.5.0-1.el7_3	cpe:/o:redhat:enterprise_linux:7	RHSA-2016:2780	2016-11-16T00:00:00Z

References

Link	Providers
http://rhn.redhat.com/errata/RHSA-2016-2780.html
http://www.securityfocus.com/bid/94339
http://www.securitytracker.com/id/1037298
https://bugzilla.mozilla.org/show_bug.cgi?id=1292443
https://nvd.nist.gov/vuln/detail/CVE-2016-5296
https://security.gentoo.org/glsa/201701-15
https://www.cve.org/CVERecord?id=CVE-2016-5296
https://www.debian.org/security/2016/dsa-3730
https://www.mozilla.org/security/advisories/mfsa2016-89/
https://www.mozilla.org/security/advisories/mfsa2016-90/
https://www.mozilla.org/security/advisories/mfsa2016-93/
https://www.mozilla.org/security/announce/2016/mfsa2016-89.html

History

Tue, 25 Nov 2025 18:00:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:mozilla:firefox_esr::::::::
Vendors & Products	Mozilla firefox Esr

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2018-06-11T21:00:00

Updated: 2024-08-06T00:53:48.993Z

Reserved: 2016-06-03T00:00:00

Link: CVE-2016-5296

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-06-11T21:29:00.687

Modified: 2025-11-25T17:50:16.803

Link: CVE-2016-5296

Redhat

Severity : Critical

Publid Date: 2016-11-16T00:00:00Z

Links: CVE-2016-5296 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object