Vulnerability Details CVE-2016-6354
Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.287
EPSS Ranking 96.2%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://www.debian.org/security/2016/dsa-3653
- http://www.openwall.com/lists/oss-security/2016/07/18/8
- http://www.openwall.com/lists/oss-security/2016/07/26/12
- https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
- https://security.gentoo.org/glsa/201701-31
- http://www.debian.org/security/2016/dsa-3653
- http://www.openwall.com/lists/oss-security/2016/07/18/8
- http://www.openwall.com/lists/oss-security/2016/07/26/12
- https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
- https://security.gentoo.org/glsa/201701-31
Products affected by CVE-2016-6354
-
cpe:2.3:a:westes:flex:2.5.10
-
cpe:2.3:a:westes:flex:2.5.11
-
cpe:2.3:a:westes:flex:2.5.12
-
cpe:2.3:a:westes:flex:2.5.13
-
cpe:2.3:a:westes:flex:2.5.14
-
cpe:2.3:a:westes:flex:2.5.15
-
cpe:2.3:a:westes:flex:2.5.16
-
cpe:2.3:a:westes:flex:2.5.17
-
cpe:2.3:a:westes:flex:2.5.18
-
cpe:2.3:a:westes:flex:2.5.19
-
cpe:2.3:a:westes:flex:2.5.20
-
cpe:2.3:a:westes:flex:2.5.21
-
cpe:2.3:a:westes:flex:2.5.23
-
cpe:2.3:a:westes:flex:2.5.24
-
cpe:2.3:a:westes:flex:2.5.25
-
cpe:2.3:a:westes:flex:2.5.26
-
cpe:2.3:a:westes:flex:2.5.27
-
cpe:2.3:a:westes:flex:2.5.28
-
cpe:2.3:a:westes:flex:2.5.29
-
cpe:2.3:a:westes:flex:2.5.30
-
cpe:2.3:a:westes:flex:2.5.31
-
cpe:2.3:a:westes:flex:2.5.32
-
cpe:2.3:a:westes:flex:2.5.33
-
cpe:2.3:a:westes:flex:2.5.34
-
cpe:2.3:a:westes:flex:2.5.35
-
cpe:2.3:a:westes:flex:2.5.36
-
cpe:2.3:a:westes:flex:2.5.37
-
cpe:2.3:a:westes:flex:2.5.39
-
cpe:2.3:a:westes:flex:2.5.5b
-
cpe:2.3:a:westes:flex:2.5.5c
-
cpe:2.3:a:westes:flex:2.6.0
-
cpe:2.3:o:debian:debian_linux:8.0