CVE-2016-1938

Published: Jan 31, 2016Modified: May 6, 2026

6.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.5

Source: NVD

Description

The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function.

Affected (5)

Products: Opensuse: Leap, Opensuse · Mozilla: Nss, Firefox

2 products

2 products

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Opensuse Leap	Version 42.1
Opensuse Opensuse	Version 13.1
Opensuse Opensuse	Version 13.2

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Mozilla Nss	Up to 3.20.1
Mozilla Firefox	Up to 43.0.4

Related CWEs

CWE-310

References (46)

http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00001.html

Source: security@mozilla.org

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00002.html

Source: security@mozilla.org

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00010.html

Source: security@mozilla.org

http://www.debian.org/security/2016/dsa-3688

Source: security@mozilla.org

http://www.mozilla.org/security/announce/2016/mfsa2016-07.html

Source: security@mozilla.org

Vendor Advisory

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

Source: security@mozilla.org

Third Party Advisory

http://www.securityfocus.com/bid/81955

Source: security@mozilla.org

http://www.securityfocus.com/bid/91787

Source: security@mozilla.org

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1034825

Source: security@mozilla.org

http://www.ubuntu.com/usn/USN-2880-1

Source: security@mozilla.org

http://www.ubuntu.com/usn/USN-2880-2

Source: security@mozilla.org

http://www.ubuntu.com/usn/USN-2903-1

Source: security@mozilla.org

http://www.ubuntu.com/usn/USN-2903-2

Source: security@mozilla.org

http://www.ubuntu.com/usn/USN-2973-1

Source: security@mozilla.org

https://blog.fuzzing-project.org/37-Mozilla-NSS-Wrong-calculation-results-in-mp_div-and-mp_exptmod.html

Source: security@mozilla.org

https://bugzilla.mozilla.org/show_bug.cgi?id=1190248

Source: security@mozilla.org

Issue Tracking

https://bugzilla.mozilla.org/show_bug.cgi?id=1194947

Source: security@mozilla.org

Issue Tracking

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes

Source: security@mozilla.org

Vendor Advisory

https://github.com/hannob/bignum-fuzz/blob/master/CVE-2016-1938-nss-mp_div.c

Source: security@mozilla.org

https://github.com/hannob/bignum-fuzz/blob/master/CVE-2016-1938-nss-mp_exptmod.c

Source: security@mozilla.org

https://hg.mozilla.org/projects/nss/diff/a555bf0fc23a/lib/freebl/mpi/mpi.c

Source: security@mozilla.org

https://security.gentoo.org/glsa/201605-06

Source: security@mozilla.org

https://security.gentoo.org/glsa/201701-46

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00001.html