CVE-2016-1950 [High] | Memory Corruption in Network Security Services

Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-01-19	3.33%	1.87%	-1.46%
2	2025-12-28	1.94%	3.33%	+1.39%
3	2025-12-27	—	1.94%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-01-19

3.33%

1.87%

-1.46%

2025-12-28

1.94%

3.33%

+1.39%

2025-12-27

—

1.94%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
8.8	3.0	HIGH	`CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.8	5.9	[email protected]
6.8	2.0	MEDIUM	`AV:N/AC:M/Au:N/C:P/I:P/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:P) Partial availability impact.	8.6	6.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

8.8

3.0

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

2.8

5.9

[email protected]

6.8

2.0

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:P): Partial availability impact.

8.6

6.4

[email protected]

OS Trackers for CVE-2016-1950

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2016-1950 not yet assigned priority: Debian including 3 source packages (firefox, firefox-esr, nss), 11 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 11.	https://security-tracker.debian.org/tracker/CVE-2016-1950
`gentoo`	normal	CVE-2016-1950: 1 GLSA(s) (201605-06), 6 atom(s) (dev-libs/nspr, dev-libs/nss, mail-client/thunderbird, mail-client/thunderbird-bin, www-client/firefox, www-client/firefox-bin); latest impact normal.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2016-1950
`redhat`	critical	—	https://access.redhat.com/security/cve/CVE-2016-1950
`suse`	high	CVE-2016-1950 severity important: SUSE including 646 source package names (MozillaFirefox, MozillaFirefox-102.11.0-150200.152.87.1, …), 1102 product×package rows across 106 product lines (Image SLES12-SP5-Azure-BYOS, Image SLES12-SP5-Azure-Basic-On-Demand, … (106 product lines)): Fixed 896, Known Affected 157, Known Not Affected 49.	https://www.suse.com/security/cve/CVE-2016-1950/
`ubuntu`	medium	CVE-2016-1950 medium priority: Ubuntu including 3 source packages (firefox, nss, thunderbird), 21 status rows across 7 suites (precise, trusty, upstream, wily, xenial, yakkety, zesty): released 18, not-affected 3.	https://ubuntu.com/security/CVE-2016-1950

Affected software / configurations for CVE-2016-1950

Vendor	Product	Version	Raw CPE
mozilla	network_security_services	3.19.2	cpe:2.3:a:mozilla:network_security_services:3.19.2:::::::*
mozilla	network_security_services	3.20	cpe:2.3:a:mozilla:network_security_services:3.20:::::::*
mozilla	network_security_services	3.20.1	cpe:2.3:a:mozilla:network_security_services:3.20.1:::::::*
mozilla	network_security_services	3.21	cpe:2.3:a:mozilla:network_security_services:3.21:::::::*
mozilla	firefox	<= 44.0.2	cpe:2.3:a:mozilla:firefox::::::::
mozilla	firefox	38.0	cpe:2.3:a:mozilla:firefox:38.0:::::::*
mozilla	firefox	38.0.1	cpe:2.3:a:mozilla:firefox:38.0.1:::::::*
mozilla	firefox	38.0.5	cpe:2.3:a:mozilla:firefox:38.0.5:::::::*
mozilla	firefox	38.1.0	cpe:2.3:a:mozilla:firefox:38.1.0:::::::*
mozilla	firefox	38.1.1	cpe:2.3:a:mozilla:firefox:38.1.1:::::::*
mozilla	firefox	38.2.0	cpe:2.3:a:mozilla:firefox:38.2.0:::::::*
mozilla	firefox	38.2.1	cpe:2.3:a:mozilla:firefox:38.2.1:::::::*
mozilla	firefox	38.3.0	cpe:2.3:a:mozilla:firefox:38.3.0:::::::*
mozilla	firefox	38.4.0	cpe:2.3:a:mozilla:firefox:38.4.0:::::::*
mozilla	firefox	38.5.0	cpe:2.3:a:mozilla:firefox:38.5.0:::::::*
mozilla	firefox	38.5.1	cpe:2.3:a:mozilla:firefox:38.5.1:::::::*
mozilla	firefox	38.6.0	cpe:2.3:a:mozilla:firefox:38.6.0:::::::*
mozilla	firefox	38.6.1	cpe:2.3:a:mozilla:firefox:38.6.1:::::::*
oracle	linux	5.0	cpe:2.3:o:oracle:linux:5.0:::::::*
oracle	linux	6	cpe:2.3:o:oracle:linux:6:::::::*
oracle	linux	7	cpe:2.3:o:oracle:linux:7:::::::*
oracle	vm_server	3.2	cpe:2.3:o:oracle:vm_server:3.2:::::::*
apple	iphone_os	<= 9.2.1	cpe:2.3:o:apple:iphone_os::::::::
apple	mac_os_x	<= 10.11.3	cpe:2.3:o:apple:mac_os_x::::::::
apple	tvos	<= 9.1	cpe:2.3:o:apple:tvos::::::::
apple	watchos	<= 2.1	cpe:2.3:o:apple:watchos::::::::
oracle	glassfish_server	2.1.1	cpe:2.3:a:oracle:glassfish_server:2.1.1:::::::*
oracle	iplanet_web_proxy_server	4.0	cpe:2.3:a:oracle:iplanet_web_proxy_server:4.0:::::::*
oracle	iplanet_web_server	7.0	cpe:2.3:a:oracle:iplanet_web_server:7.0:::::::*
opensuse	opensuse	13.1	cpe:2.3:o:opensuse:opensuse:13.1:::::::*

References for CVE-2016-1950

URL	Tags
http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html	Mailing List
http://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html	Mailing List
http://lists.apple.com/archives/security-announce/2016/Mar/msg00002.html	Mailing List
http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html	Mailing List
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00029.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00031.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00050.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00068.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00093.html
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00016.html	Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-0495.html
http://www.debian.org/security/2016/dsa-3510
http://www.debian.org/security/2016/dsa-3520
http://www.debian.org/security/2016/dsa-3688
http://www.mozilla.org/security/announce/2016/mfsa2016-35.html	Vendor Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html	Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html	Third Party Advisory
http://www.securityfocus.com/bid/84223
http://www.securitytracker.com/id/1035215
http://www.ubuntu.com/usn/USN-2917-1
http://www.ubuntu.com/usn/USN-2917-2
http://www.ubuntu.com/usn/USN-2917-3
http://www.ubuntu.com/usn/USN-2924-1
http://www.ubuntu.com/usn/USN-2934-1
https://bto.bluecoat.com/security-advisory/sa119
https://bugzilla.mozilla.org/show_bug.cgi?id=1245528	Issue Tracking
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.2.3_release_notes	Release Notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21.1_release_notes	Release Notes
https://security.gentoo.org/glsa/201605-06
https://support.apple.com/HT206166	Third Party Advisory
https://support.apple.com/HT206167	Third Party Advisory
https://support.apple.com/HT206168	Third Party Advisory
https://support.apple.com/HT206169	Third Party Advisory

URL

CVE-2016-1950

Exploit prediction scoring system (EPSS) score for CVE-2016-1950

Common vulnerability scoring system (CVSS) metrics for CVE-2016-1950

Weakness enumeration for CVE-2016-1950

OS Trackers for CVE-2016-1950

Affected software / configurations for CVE-2016-1950

References for CVE-2016-1950