High severity8.8NVD Advisory· Published Mar 13, 2016· Updated May 6, 2026

CVE-2016-1950

Description

Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate.

Affected products

Mozilla Corporation/Firefox14 versions
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=44.0.2
- cpe:2.3:a:mozilla:firefox:38.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.6.1:*:*:*:*:*:*:*
Mozilla Corporation/Network Security Services4 versions
cpe:2.3:a:mozilla:network_security_services:3.19.2:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:mozilla:network_security_services:3.19.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.20:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:network_security_services:3.21:*:*:*:*:*:*:*
Oracle Corporation/Glassfish Server
cpe:2.3:a:oracle:glassfish_server:2.1.1:*:*:*:*:*:*:*
Oracle Corporation/Iplanet Web Proxy Server
cpe:2.3:a:oracle:iplanet_web_proxy_server:4.0:*:*:*:*:*:*:*
Oracle Corporation/Iplanet Web Server
cpe:2.3:a:oracle:iplanet_web_server:7.0:*:*:*:*:*:*:*
Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <=9.2.1
Apple Inc./Mac Os X
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
Range: <=10.11.3
Apple Inc./tvOS
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
Range: <=9.1
Apple Inc./watchOS
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Range: <=2.1
OpenSUSE/openSUSE
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
Oracle Corporation/Linux3 versions
cpe:2.3:o:oracle:linux:5.0:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:oracle:linux:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:linux:6:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*
Oracle Corporation/Vm Server
cpe:2.3:o:oracle:vm_server:3.2:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.opensuse.org/opensuse-security-announce/2016-06/msg00016.htmlnvdThird Party Advisory
www.mozilla.org/security/announce/2016/mfsa2016-35.htmlnvdVendor Advisory
www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlnvdThird Party Advisory
www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlnvdThird Party Advisory
www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlnvdThird Party Advisory
support.apple.com/HT206166nvdThird Party Advisory
support.apple.com/HT206167nvdThird Party Advisory
support.apple.com/HT206168nvdThird Party Advisory
support.apple.com/HT206169nvdThird Party Advisory
lists.apple.com/archives/security-announce/2016/Mar/msg00000.htmlnvdMailing List
lists.apple.com/archives/security-announce/2016/Mar/msg00001.htmlnvdMailing List
lists.apple.com/archives/security-announce/2016/Mar/msg00002.htmlnvdMailing List
lists.apple.com/archives/security-announce/2016/Mar/msg00004.htmlnvdMailing List
bugzilla.mozilla.org/show_bug.cginvdIssue Tracking
developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.2.3_release_notesnvdRelease Notes
developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21.1_release_notesnvdRelease Notes
lists.opensuse.org/opensuse-security-announce/2016-03/msg00027.htmlnvd
lists.opensuse.org/opensuse-security-announce/2016-03/msg00029.htmlnvd
lists.opensuse.org/opensuse-security-announce/2016-03/msg00031.htmlnvd
lists.opensuse.org/opensuse-security-announce/2016-03/msg00050.htmlnvd
lists.opensuse.org/opensuse-security-announce/2016-03/msg00068.htmlnvd
lists.opensuse.org/opensuse-security-announce/2016-03/msg00093.htmlnvd
rhn.redhat.com/errata/RHSA-2016-0495.htmlnvd
www.debian.org/security/2016/dsa-3510nvd
www.debian.org/security/2016/dsa-3520nvd
www.debian.org/security/2016/dsa-3688nvd
www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlnvd
www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlnvd
www.securityfocus.com/bid/84223nvd
www.securitytracker.com/id/1035215nvd
www.ubuntu.com/usn/USN-2917-1nvd
www.ubuntu.com/usn/USN-2917-2nvd
www.ubuntu.com/usn/USN-2917-3nvd
www.ubuntu.com/usn/USN-2924-1nvd
www.ubuntu.com/usn/USN-2934-1nvd
bto.bluecoat.com/security-advisory/sa119nvd
security.gentoo.org/glsa/201605-06nvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000