CVE-2016-5080
Description
Integer overflow in ASN1C compiler's memory allocator allows remote code execution via crafted ASN.1 data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in ASN1C compiler's memory allocator allows remote code execution via crafted ASN.1 data.
Vulnerability
An integer overflow vulnerability exists in the rtxMemHeapAlloc function in asn1rt_a.lib of the Objective Systems ASN1C compiler for C/C++ before version 7.0.2. When an application compiled with this compiler parses crafted ASN.1 data, the integer overflow leads to a heap-based buffer overflow, potentially allowing arbitrary code execution or denial of service [1][2][3][4].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted ASN.1 encoded message to a service that uses code compiled with the affected ASN1C compiler. The attacker does not need any prior authentication or local access. The message triggers the integer overflow in the memory allocation routine, causing a heap-based buffer overflow [2][3].
Impact
Successful exploitation could allow the attacker to execute arbitrary code on the target system with the privileges of the affected process, or cause a denial of service (system crash or instability). The vulnerability is remotely exploitable and requires no user interaction [2][3][4].
Mitigation
The vulnerability is fixed in ASN1C version 7.0.2. Cisco has released software updates for affected products (Cisco ASR 5000 StarOS and Virtualized Packet Core) [4]. No workarounds are available. Users should update the ASN1C compiler to version 7.0.2 or later, and apply patches from vendors using the compiler [1][2][3][4].
- Android Security Bulletin—January 2017
- Memory corruption in code generated by Objective Systems Inc. ASN1C compiler for C/C++ [STIC-2016-0603]
- security-advisories/ObjSys/CVE-2016-5080 at master · programa-stic/security-advisories
- Cisco Security Advisory: Vulnerability in Objective Systems ASN1C Compiler Affecting Cisco Products
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <7.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
11- www.kb.cert.org/vuls/id/790839nvdThird Party AdvisoryUS Government Resource
- github.com/programa-stic/security-advisories/tree/master/ObjSys/CVE-2016-5080nvdTechnical DescriptionThird Party Advisory
- www.ncsc.nl/dienstverlening/response-op-dreigingen-en-incidenten/beveiligingsadviezen/NCSC-2016-0650+1.00+Kwetsbaarheid+verholpen+in+ASN1C.htmlnvdThird Party Advisory
- packetstormsecurity.com/files/137970/Objective-Systems-Inc.-ASN1C-For-C-C-Heap-Memory-Corruption.htmlnvd
- seclists.org/fulldisclosure/2016/Jul/65nvd
- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160721-asn1cnvd
- www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlnvd
- www.securityfocus.com/archive/1/538952/100/0/threadednvd
- www.securityfocus.com/bid/91836nvd
- www.securitytracker.com/id/1036386nvd
- source.android.com/security/bulletin/2017-01-01.htmlnvd
News mentions
0No linked articles in our index yet.