{"api_version":"1","generated_at":"2026-04-23T02:57:05+00:00","cve":"CVE-2016-1938","urls":{"html":"https://cve.report/CVE-2016-1938","api":"https://cve.report/api/cve/CVE-2016-1938.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-1938","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-1938"},"summary":{"title":"CVE-2016-1938","description":"The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2016-01-31 18:59:00","updated_at":"2018-10-30 16:27:00"},"problem_types":["CWE-310"],"metrics":[],"references":[{"url":"http://www.mozilla.org/security/announce/2016/mfsa2016-07.html","name":"http://www.mozilla.org/security/announce/2016/mfsa2016-07.html","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Errors in mp_div and mp_exptmod cryptographic functions in NSS — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00001.html","name":"openSUSE-SU-2016:0306","refsource":"SUSE","tags":["Third Party Advisory"],"title":"[security-announce] openSUSE-SU-2016:0306-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1190248","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1190248","refsource":"CONFIRM","tags":["Issue Tracking"],"title":"1190248 - (CVE-2016-1938) mp_div and mp_exptmod sometimes produce wrong calculation results","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html","name":"http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"Oracle Critical Patch Update - July 2016","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://github.com/hannob/bignum-fuzz/blob/master/CVE-2016-1938-nss-mp_exptmod.c","name":"https://github.com/hannob/bignum-fuzz/blob/master/CVE-2016-1938-nss-mp_exptmod.c","refsource":"MISC","tags":[],"title":"bignum-fuzz/CVE-2016-1938-nss-mp_exptmod.c at master · hannob/bignum-fuzz · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.ubuntu.com/usn/USN-2880-2","name":"USN-2880-2","refsource":"UBUNTU","tags":[],"title":"USN-2880-2: Firefox regression | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/91787","name":"91787","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Oracle July 2016 Critical Patch Update Multiple Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00010.html","name":"SUSE-SU-2016:0338","refsource":"SUSE","tags":[],"title":"[security-announce] SUSE-SU-2016:0338-1: important: Security update for","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://hg.mozilla.org/projects/nss/diff/a555bf0fc23a/lib/freebl/mpi/mpi.c","name":"https://hg.mozilla.org/projects/nss/diff/a555bf0fc23a/lib/freebl/mpi/mpi.c","refsource":"CONFIRM","tags":[],"title":"nss: diff lib/freebl/mpi/mpi.c","mime":"text/xml","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/201605-06","name":"GLSA-201605-06","refsource":"GENTOO","tags":[],"title":"Mozilla Products: Multiple vulnerabilities (GLSA 201605-06) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00002.html","name":"openSUSE-SU-2016:0309","refsource":"SUSE","tags":["Third Party Advisory"],"title":"[security-announce] openSUSE-SU-2016:0309-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes","name":"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes","refsource":"MISC","tags":["Vendor Advisory"],"title":"NSS 3.21 release notes - Mozilla | MDN","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.ubuntu.com/usn/USN-2973-1","name":"USN-2973-1","refsource":"UBUNTU","tags":[],"title":"USN-2973-1: Thunderbird vulnerabilities | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.ubuntu.com/usn/USN-2903-2","name":"USN-2903-2","refsource":"UBUNTU","tags":[],"title":"USN-2903-2: NSS regression | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.debian.org/security/2016/dsa-3688","name":"DSA-3688","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-3688-1 nss","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.ubuntu.com/usn/USN-2903-1","name":"USN-2903-1","refsource":"UBUNTU","tags":[],"title":"USN-2903-1: NSS vulnerability | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/201701-46","name":"GLSA-201701-46","refsource":"GENTOO","tags":[],"title":"Mozilla Network Security Service (NSS): Multiple vulnerabilities (GLSA 201701-46) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/81955","name":"81955","refsource":"BID","tags":[],"title":"Mozilla Network Security Services CVE-2016-1938 Weak Encryption Multiple Security Weaknesses","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://www.securitytracker.com/id/1034825","name":"1034825","refsource":"SECTRACK","tags":[],"title":"Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Spoof the Address Bar, Bypass Security Restrictions, and Deny Service - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1194947","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1194947","refsource":"CONFIRM","tags":["Issue Tracking"],"title":"1194947 - miscalculation in mp_exptmod()","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.ubuntu.com/usn/USN-2880-1","name":"USN-2880-1","refsource":"UBUNTU","tags":[],"title":"USN-2880-1: Firefox vulnerabilities | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/hannob/bignum-fuzz/blob/master/CVE-2016-1938-nss-mp_div.c","name":"https://github.com/hannob/bignum-fuzz/blob/master/CVE-2016-1938-nss-mp_div.c","refsource":"MISC","tags":[],"title":"bignum-fuzz/CVE-2016-1938-nss-mp_div.c at master · hannob/bignum-fuzz · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://blog.fuzzing-project.org/37-Mozilla-NSS-Wrong-calculation-results-in-mp_div-and-mp_exptmod.html","name":"https://blog.fuzzing-project.org/37-Mozilla-NSS-Wrong-calculation-results-in-mp_div-and-mp_exptmod.html","refsource":"MISC","tags":[],"title":"Mozilla NSS: Wrong calculation results in mp_div() and mp_exptmod() | The Fuzzing Project","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-1938","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1938","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"1938","vulnerable":"1","versionEndIncluding":"43.0.4","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1938","vulnerable":"1","versionEndIncluding":"3.20.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"nss","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1938","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"42.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1938","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"42.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1938","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"opensuse","cpe6":"13.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1938","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"opensuse","cpe6":"13.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1938","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"opensuse","cpe6":"13.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"1938","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"opensuse","cpe6":"13.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2016-1938","qid":"710518","title":"Gentoo Linux Mozilla Network Security Service (NSS) Multiple Vulnerabilities (GLSA 201701-46)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@mozilla.org","ID":"CVE-2016-1938","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"81955","refsource":"BID","url":"http://www.securityfocus.com/bid/81955"},{"name":"DSA-3688","refsource":"DEBIAN","url":"http://www.debian.org/security/2016/dsa-3688"},{"name":"1034825","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1034825"},{"name":"GLSA-201701-46","refsource":"GENTOO","url":"https://security.gentoo.org/glsa/201701-46"},{"name":"http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html","refsource":"CONFIRM","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"},{"name":"USN-2903-2","refsource":"UBUNTU","url":"http://www.ubuntu.com/usn/USN-2903-2"},{"name":"USN-2880-1","refsource":"UBUNTU","url":"http://www.ubuntu.com/usn/USN-2880-1"},{"name":"USN-2903-1","refsource":"UBUNTU","url":"http://www.ubuntu.com/usn/USN-2903-1"},{"name":"USN-2880-2","refsource":"UBUNTU","url":"http://www.ubuntu.com/usn/USN-2880-2"},{"name":"https://github.com/hannob/bignum-fuzz/blob/master/CVE-2016-1938-nss-mp_exptmod.c","refsource":"MISC","url":"https://github.com/hannob/bignum-fuzz/blob/master/CVE-2016-1938-nss-mp_exptmod.c"},{"name":"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes","refsource":"MISC","url":"https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes"},{"name":"SUSE-SU-2016:0338","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00010.html"},{"name":"http://www.mozilla.org/security/announce/2016/mfsa2016-07.html","refsource":"CONFIRM","url":"http://www.mozilla.org/security/announce/2016/mfsa2016-07.html"},{"name":"https://blog.fuzzing-project.org/37-Mozilla-NSS-Wrong-calculation-results-in-mp_div-and-mp_exptmod.html","refsource":"MISC","url":"https://blog.fuzzing-project.org/37-Mozilla-NSS-Wrong-calculation-results-in-mp_div-and-mp_exptmod.html"},{"name":"USN-2973-1","refsource":"UBUNTU","url":"http://www.ubuntu.com/usn/USN-2973-1"},{"name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1194947","refsource":"CONFIRM","url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1194947"},{"name":"openSUSE-SU-2016:0309","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00002.html"},{"name":"91787","refsource":"BID","url":"http://www.securityfocus.com/bid/91787"},{"name":"https://github.com/hannob/bignum-fuzz/blob/master/CVE-2016-1938-nss-mp_div.c","refsource":"MISC","url":"https://github.com/hannob/bignum-fuzz/blob/master/CVE-2016-1938-nss-mp_div.c"},{"name":"GLSA-201605-06","refsource":"GENTOO","url":"https://security.gentoo.org/glsa/201605-06"},{"name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1190248","refsource":"CONFIRM","url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1190248"},{"name":"openSUSE-SU-2016:0306","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00001.html"},{"name":"https://hg.mozilla.org/projects/nss/diff/a555bf0fc23a/lib/freebl/mpi/mpi.c","refsource":"CONFIRM","url":"https://hg.mozilla.org/projects/nss/diff/a555bf0fc23a/lib/freebl/mpi/mpi.c"}]}},"nvd":{"publishedDate":"2016-01-31 18:59:00","lastModifiedDate":"2018-10-30 16:27:00","problem_types":["CWE-310"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":2.5},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":6.4},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":4.9,"acInsufInfo":true,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:nss:*:*:*:*:*:*:*:*","versionEndIncluding":"3.20.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndIncluding":"43.0.4","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"1938","Ordinal":"87743","Title":"CVE-2016-1938","CVE":"CVE-2016-1938","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"1938","Ordinal":"1","NoteData":"The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function.","Type":"Description","Title":null},{"CveYear":"2016","CveId":"1938","Ordinal":"2","NoteData":"2016-01-31","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"1938","Ordinal":"3","NoteData":"2017-11-03","Type":"Other","Title":"Modified"}]}}}