{"api_version":"1","generated_at":"2026-04-23T12:32:45+00:00","cve":"CVE-2016-5290","urls":{"html":"https://cve.report/CVE-2016-5290","api":"https://cve.report/api/cve/CVE-2016-5290.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-5290","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-5290"},"summary":{"title":"CVE-2016-5290","description":"Memory safety bugs were reported in Firefox 49 and Firefox ESR 45.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2018-06-11 21:29:00","updated_at":"2018-07-30 12:35:00"},"problem_types":["CWE-119"],"metrics":[],"references":[{"url":"https://www.mozilla.org/security/advisories/mfsa2016-89/","name":"https://www.mozilla.org/security/advisories/mfsa2016-89/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Firefox 50 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2016-2825.html","name":"RHSA-2016:2825","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2016-90/","name":"https://www.mozilla.org/security/advisories/mfsa2016-90/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Firefox ESR 45.5 — Mozilla","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/94335","name":"94335","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Mozilla Firefox CVE-2016-5290 Multiple Unspecified Memory Corruption Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://www.securitytracker.com/id/1037298","name":"1037298","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"Mozilla Firefox Multiple Bugs Let Remote Users Execute Arbitrary Code, Bypass Security Restrictions, Spoof URLs, Modify Files, and Obtain Potentially Sensitive Information - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/201701-15","name":"GLSA-201701-15","refsource":"GENTOO","tags":["Third Party Advisory"],"title":"Mozilla Firefox, Thunderbird: Multiple vulnerabilities (GLSA 201701-15) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2016-93/","name":"https://www.mozilla.org/security/advisories/mfsa2016-93/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Thunderbird 45.5 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2016-2780.html","name":"RHSA-2016:2780","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://www.debian.org/security/2016/dsa-3730","name":"DSA-3730","refsource":"DEBIAN","tags":["Third Party Advisory"],"title":"Debian -- Security Information -- DSA-3730-1 icedove","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/buglist.cgi?bug_id=1309720%2C1297062%2C1303710%2C1018486%2C1292590%2C1301343%2C1301496%2C1308048%2C1308346%2C1299519%2C1286911%2C1298169","name":"https://bugzilla.mozilla.org/buglist.cgi?bug_id=1309720%2C1297062%2C1303710%2C1018486%2C1292590%2C1301343%2C1301496%2C1308048%2C1308346%2C1299519%2C1286911%2C1298169","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Bug List","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-5290","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-5290","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"5290","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"5290","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"5290","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"5290","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"5290","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"5290","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"5290","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2016","cve_id":"5290","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2016-5290","qid":"710500","title":"Gentoo Linux Mozilla Firefox, Thunderbird Multiple Vulnerabilities (GLSA 201701-15)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@mozilla.org","ID":"CVE-2016-5290","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Thunderbird","version":{"version_data":[{"version_affected":"<","version_value":"45.5"}]}},{"product_name":"Firefox ESR","version":{"version_data":[{"version_affected":"<","version_value":"45.5"}]}},{"product_name":"Firefox","version":{"version_data":[{"version_affected":"<","version_value":"50"}]}}]},"vendor_name":"Mozilla"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Memory safety bugs were reported in Firefox 49 and Firefox ESR 45.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5"}]}]},"references":{"reference_data":[{"name":"DSA-3730","refsource":"DEBIAN","url":"https://www.debian.org/security/2016/dsa-3730"},{"name":"RHSA-2016:2825","refsource":"REDHAT","url":"http://rhn.redhat.com/errata/RHSA-2016-2825.html"},{"name":"https://bugzilla.mozilla.org/buglist.cgi?bug_id=1309720%2C1297062%2C1303710%2C1018486%2C1292590%2C1301343%2C1301496%2C1308048%2C1308346%2C1299519%2C1286911%2C1298169","refsource":"CONFIRM","url":"https://bugzilla.mozilla.org/buglist.cgi?bug_id=1309720%2C1297062%2C1303710%2C1018486%2C1292590%2C1301343%2C1301496%2C1308048%2C1308346%2C1299519%2C1286911%2C1298169"},{"name":"94335","refsource":"BID","url":"http://www.securityfocus.com/bid/94335"},{"name":"1037298","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1037298"},{"name":"GLSA-201701-15","refsource":"GENTOO","url":"https://security.gentoo.org/glsa/201701-15"},{"name":"https://www.mozilla.org/security/advisories/mfsa2016-93/","refsource":"CONFIRM","url":"https://www.mozilla.org/security/advisories/mfsa2016-93/"},{"name":"RHSA-2016:2780","refsource":"REDHAT","url":"http://rhn.redhat.com/errata/RHSA-2016-2780.html"},{"name":"https://www.mozilla.org/security/advisories/mfsa2016-89/","refsource":"CONFIRM","url":"https://www.mozilla.org/security/advisories/mfsa2016-89/"},{"name":"https://www.mozilla.org/security/advisories/mfsa2016-90/","refsource":"CONFIRM","url":"https://www.mozilla.org/security/advisories/mfsa2016-90/"}]}},"nvd":{"publishedDate":"2018-06-11 21:29:00","lastModifiedDate":"2018-07-30 12:35:00","problem_types":["CWE-119"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"50.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"45.5.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*","versionEndExcluding":"45.5.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"5290","Ordinal":"91340","Title":"CVE-2016-5290","CVE":"CVE-2016-5290","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"5290","Ordinal":"1","NoteData":"Memory safety bugs were reported in Firefox 49 and Firefox ESR 45.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50.","Type":"Description","Title":null},{"CveYear":"2016","CveId":"5290","Ordinal":"2","NoteData":"2018-06-11","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"5290","Ordinal":"3","NoteData":"2018-06-12","Type":"Other","Title":"Modified"}]}}}