Medium severity5.3NVD Advisory· Published Sep 6, 2016· Updated May 6, 2026

CVE-2016-7152

Description

The HTTPS protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HEIST" attack.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/nvdTechnical Description
tom.vg/papers/heist_blackhat2016.pdfnvdTechnical Description
www.securityfocus.com/bid/92769nvd
www.securitytracker.com/id/1036741nvd
www.securitytracker.com/id/1036742nvd
www.securitytracker.com/id/1036743nvd
www.securitytracker.com/id/1036744nvd
www.securitytracker.com/id/1036745nvd
www.securitytracker.com/id/1036746nvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000