CVE-2016-2837

6.3 MEDIUM

Published: August 05, 2016 Modified: May 06, 2026

Description

Heap-based buffer overflow in the ClearKey Content Decryption Module (CDM) in the Encrypted Media Extensions (EME) API in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 might allow remote attackers to execute arbitrary code by providing a malformed video and leveraging a Gecko Media Plugin (GMP) sandbox bypass.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.html

Source: security@mozilla.org

http://rhn.redhat.com/errata/RHSA-2016-1551.html

Source: security@mozilla.org

http://www.debian.org/security/2016/dsa-3640

Source: security@mozilla.org

http://www.mozilla.org/security/announce/2016/mfsa2016-77.html

Source: security@mozilla.org

Vendor Advisory

http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

Source: security@mozilla.org

Third Party Advisory

http://www.securityfocus.com/bid/92258

Source: security@mozilla.org

http://www.securitytracker.com/id/1036508

Source: security@mozilla.org

http://www.ubuntu.com/usn/USN-3044-1

Source: security@mozilla.org

http://www.zerodayinitiative.com/advisories/ZDI-16-673

Source: security@mozilla.org

https://bugzilla.mozilla.org/show_bug.cgi?id=1274637

Source: security@mozilla.org

Issue Tracking Permissions Required

https://security.gentoo.org/glsa/201701-15

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2016-1551.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2016/dsa-3640

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.mozilla.org/security/announce/2016/mfsa2016-77.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

http://www.securityfocus.com/bid/92258

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securitytracker.com/id/1036508

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ubuntu.com/usn/USN-3044-1

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.zerodayinitiative.com/advisories/ZDI-16-673

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.mozilla.org/show_bug.cgi?id=1274637

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking Permissions Required

https://security.gentoo.org/glsa/201701-15

Source: af854a3a-2127-422b-91ae-364da2661108

24 reference(s) from NVD

Quick Stats

CVSS v3 Score

6.3 / 10.0

EPSS (Exploit Probability)

0.4%

61th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-119

Affected Vendors

mozilla oracle

Related CVEs

CVE-2026-8086 5.3

CVE-2026-8084 3.3

CVE-2026-8083 7.3

CVE-2026-44742 7.2

CVE-2026-44244 7.8