Critical severity9.8NVD Advisory· Published Apr 7, 2016· Updated May 6, 2026

CVE-2016-2851

Description

Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow.

Affected products

Cypherpunks/Libotr
cpe:2.3:a:cypherpunks:libotr:*:*:*:*:*:*:*:*
Range: <=4.1.0
Debian/Debian Linux2 versions
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
OpenSUSE/Leap
cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
OpenSUSE/openSUSE
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

seclists.org/fulldisclosure/2016/Mar/21nvdExploitMailing ListThird Party Advisory
lists.cypherpunks.ca/pipermail/otr-users/2016-March/002581.htmlnvdExploit
www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/nvdExploit
lists.opensuse.org/opensuse-security-announce/2016-03/msg00030.htmlnvdVendor Advisory
www.debian.org/security/2016/dsa-3512nvdThird Party Advisory
www.securityfocus.com/archive/1/537745/100/0/threadednvdThird Party Advisory
www.securityfocus.com/bid/84285nvdThird Party AdvisoryVDB Entry
www.ubuntu.com/usn/USN-2926-1nvdThird Party Advisory
security.gentoo.org/glsa/201701-10nvdThird Party Advisory
www.exploit-db.com/exploits/39550/nvdThird Party AdvisoryVDB Entry
lists.opensuse.org/opensuse-security-announce/2016-03/msg00021.htmlnvdMailing List

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.018
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000