CVE-2016-10195 – CVE-2016-10195 is a critical out-of-bounds read... (How to Fix)

Q: What is the severity of CVE-2016-10195?

CVE-2016-10195 has a CVSS score of 9.8 (CRITICAL). CVE-2016-10195 is a critical out-of-bounds read vulnerability in libevent's DNS parsing function that allows remote attackers to read sensitive data from stack memory. This affects applications using vulnerable libevent versions for DNS resolution. Attackers can potentially leverage this to bypass ASLR or leak sensitive information.

📋 TL;DR

CVE-2016-10195 is a critical out-of-bounds read vulnerability in libevent's DNS parsing function that allows remote attackers to read sensitive data from stack memory. This affects applications using vulnerable libevent versions for DNS resolution. Attackers can potentially leverage this to bypass ASLR or leak sensitive information.

💻 Affected Systems

Products:

libevent
Applications using libevent for DNS resolution

Versions: libevent versions before 2.1.6-beta

Operating Systems: Linux, Unix-like systems, Windows (if compiled with libevent)

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using libevent's DNS client functionality is vulnerable when processing malicious DNS responses.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Libevent by Libevent Project

View all CVEs affecting Libevent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution via information disclosure that bypasses ASLR, leading to complete system compromise.

🟠

Likely Case

Information disclosure allowing attackers to read stack memory contents, potentially revealing sensitive data or memory addresses.

🟢

If Mitigated

Limited impact if proper network segmentation and application sandboxing are implemented.

🌐 Internet-Facing: HIGH - Remote exploitation possible via DNS responses to vulnerable applications.

🏢 Internal Only: MEDIUM - Requires network access to vulnerable service, but internal attackers could exploit.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending malicious DNS responses to trigger the out-of-bounds read. Public proof-of-concept code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libevent 2.1.6-beta and later

Vendor Advisory: http://www.openwall.com/lists/oss-security/2017/01/31/17

Restart Required: Yes

Instructions:

1. Update libevent to version 2.1.6-beta or later. 2. Recompile applications using libevent. 3. Restart affected services.

🔧 Temporary Workarounds

Network filtering

all

Block or filter incoming DNS responses from untrusted sources

Application sandboxing

linux

Run vulnerable applications with reduced privileges and memory restrictions

systemctl edit <service> (add MemoryDenyWriteExecute=true, PrivateTmp=true, etc.)

🧯 If You Can't Patch

Implement strict network segmentation to limit DNS traffic to trusted sources only
Deploy application control solutions to monitor and restrict libevent-based applications

🔍 How to Verify

Check if Vulnerable:

Check libevent version: ldd /path/to/application | grep libevent && strings /usr/lib/libevent* | grep 'libevent-'

Check Version:

pkg-config --modversion libevent || strings /usr/lib/libevent* | grep 'libevent-' | head -1

Verify Fix Applied:

Verify libevent version is 2.1.6-beta or later: pkg-config --modversion libevent

📡 Detection & Monitoring

Log Indicators:

Application crashes or abnormal termination
DNS parsing errors in application logs

Network Indicators:

Unusual DNS response patterns to applications
DNS traffic from unexpected sources

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "out of bounds" OR "libevent")

📊 Metadata

CVE ID: CVE-2016-10195

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: March 15, 2017

Last Updated: April 20, 2025

🔗 References

http://www.debian.org/security/2017/dsa-3789 Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/01/31/17 Mailing List,Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/02/02/7 Mailing List,Patch,Third Party Advisory
http://www.securityfocus.com/bid/96014 Third Party Advisory,VDB Entry
http://www.securitytracker.com/id/1038320 Broken Link,Third Party Advisory,VDB Entry
https://access.redhat.com/errata/RHSA-2017:1104 Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1106 Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1201 Third Party Advisory
https://github.com/libevent/libevent/blob/release-2.1.6-beta/ChangeLog Release Notes,Third Party Advisory
https://github.com/libevent/libevent/commit/96f64a022014a208105ead6c8a7066018449d86d Patch,Third Party Advisory
https://github.com/libevent/libevent/issues/317 Exploit,Issue Tracking,Patch,Third Party Advisory
https://security.gentoo.org/glsa/201705-01 Third Party Advisory
http://www.debian.org/security/2017/dsa-3789 Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/01/31/17 Mailing List,Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/02/02/7 Mailing List,Patch,Third Party Advisory
http://www.securityfocus.com/bid/96014 Third Party Advisory,VDB Entry
http://www.securitytracker.com/id/1038320 Broken Link,Third Party Advisory,VDB Entry
https://access.redhat.com/errata/RHSA-2017:1104 Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1106 Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1201 Third Party Advisory
https://github.com/libevent/libevent/blob/release-2.1.6-beta/ChangeLog Release Notes,Third Party Advisory
https://github.com/libevent/libevent/commit/96f64a022014a208105ead6c8a7066018449d86d Patch,Third Party Advisory
https://github.com/libevent/libevent/issues/317 Exploit,Issue Tracking,Patch,Third Party Advisory
https://security.gentoo.org/glsa/201705-01 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-10195, you might also want to check these: