CVE-2016-1925 – CVE-2016-1925 is an integer underflow vulnerabi... (How to Fix)

Q: What is the severity of CVE-2016-1925?

CVE-2016-1925 has a CVSS score of 9.8 (CRITICAL). CVE-2016-1925 is an integer underflow vulnerability in the lha archive utility that allows remote attackers to trigger a buffer overflow via specially crafted archive headers. This can potentially lead to arbitrary code execution or denial of service. Anyone using vulnerable versions of lha to process untrusted archives is affected.

📋 TL;DR

CVE-2016-1925 is an integer underflow vulnerability in the lha archive utility that allows remote attackers to trigger a buffer overflow via specially crafted archive headers. This can potentially lead to arbitrary code execution or denial of service. Anyone using vulnerable versions of lha to process untrusted archives is affected.

💻 Affected Systems

Products:

lha (LHa for UNIX)

Versions: All versions prior to fixes in 2016

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where lha is installed and used to process archives.

📦 What is this software?

Lha For Unix by Lha For Unix Project

View all CVEs affecting Lha For Unix →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the user running lha, potentially leading to full system compromise.

🟠

Likely Case

Application crash (denial of service) or limited memory corruption.

🟢

If Mitigated

No impact if proper input validation and memory protections are in place.

🌐 Internet-Facing: MEDIUM - Requires user to process malicious archives, but common in file sharing scenarios.

🏢 Internal Only: LOW - Typically requires user interaction with malicious files.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the victim to process a malicious .lha archive file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions with commits from January 2016

Vendor Advisory: https://security.gentoo.org/glsa/202007-42

Restart Required: No

Instructions:

1. Update lha package through your distribution's package manager. 2. For Gentoo: emerge --sync && emerge -av lha. 3. For other distros: Use apt-get/yum/dnf update lha.

🔧 Temporary Workarounds

Disable lha processing

linux

Remove or disable lha utility to prevent archive processing

sudo apt-get remove lha
sudo yum remove lha

🧯 If You Can't Patch

Implement strict file upload controls to block .lha archives
Use alternative archive utilities (tar, zip) and disable lha usage

🔍 How to Verify

Check if Vulnerable:

Check lha version: lha --version | grep -i version

Check Version:

lha --version

Verify Fix Applied:

Verify updated version and test with known safe archives

📡 Detection & Monitoring

Log Indicators:

Process crashes of lha
Memory access violation errors

Network Indicators:

Unexpected .lha file transfers

SIEM Query:

process_name:"lha" AND (event_type:"crash" OR return_code:"139")

📊 Metadata

CVE ID: CVE-2016-1925

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-191

Published: January 23, 2017

Last Updated: April 20, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2016/01/18/3 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/01/18/8 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202007-42
http://www.openwall.com/lists/oss-security/2016/01/18/3 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/01/18/8 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202007-42

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-1925, you might also want to check these: