Heap Overflow Vulnerability in Erlang/OTP 18.x
CVE-2016-10253

9.8CRITICAL

Key Information:

Vendor: Erlang
Status: Erlang\/otp
Vendor: CVE Published:; 18 March 2017

What is CVE-2016-10253?

A vulnerability was identified within Erlang/OTP 18.x where the generation of compiled regular expressions can lead to a heap overflow. This occurs when using a malformed extpattern, which can indirectly define an offset used as an array index. Consequently, this flaw allows unauthorized access to arbitrary regions of the erts_alloc arena for both reading and writing operations, posing a serious security risk.

References

https://usn.ubuntu.com/3571-1/

vendor-advisoryx_refsource_UBUNTU

https://github.com/erlang/otp/pull/1108

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 18, 2017
Vulnerability Reserved
Mar 18, 2017