Critical severity9.8NVD Advisory· Published Mar 7, 2017· Updated May 13, 2026

CVE-2016-8863

Description

Heap-based buffer overflow in the create_url_list function in gena/gena_device.c in Portable UPnP SDK (aka libupnp) before 1.6.21 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a valid URI followed by an invalid one in the CALLBACK header of an SUBSCRIBE request.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

sourceforge.net/p/pupnp/bugs/133/nvdIssue TrackingThird Party Advisory
sourceforge.net/p/pupnp/code/ci/master/tree/ChangeLognvdRelease NotesThird Party Advisory
www.debian.org/security/2016/dsa-3736nvdThird Party Advisory
www.securityfocus.com/bid/92849nvd
security.gentoo.org/glsa/201701-52nvd
www.tenable.com/security/research/tra-2017-10nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.020
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000