CVE-2016-9840 [High] | Security Vulnerability in Boost

CVE-2016-9840 is rated High Risk (65.1/100): CVSS High severity, with high exploitation likelihood (EPSS 9.83%, 93th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. High exploitation likelihood—assess exposure and prioritize remediation.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-06	12.52%	9.83%	-2.69%
2	2026-05-28	9.72%	12.52%	+2.80%
3	2026-05-23	—	9.72%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-06

12.52%

9.83%

-2.69%

2026-05-28

9.72%

12.52%

+2.80%

2026-05-23

—

9.72%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
8.8	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.8	5.9	[email protected]
6.8	2.0	MEDIUM	`AV:N/AC:M/Au:N/C:P/I:P/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:P) Partial availability impact.	8.6	6.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

8.8

3.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

2.8

5.9

[email protected]

6.8

2.0

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:P): Partial availability impact.

8.6

6.4

[email protected]

OS Trackers for CVE-2016-9840

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2016-9840 not yet assigned priority: Debian including 2 source packages (rsync, zlib), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 10.	https://security-tracker.debian.org/tracker/CVE-2016-9840
`gentoo`	normal	CVE-2016-9840: 2 GLSA(s) (201701-56, 202007-54), 2 atom(s) (net-misc/rsync, sys-libs/zlib); latest impact normal.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2016-9840
`redhat`	low	—	https://access.redhat.com/security/cve/CVE-2016-9840
`suse`	critical	CVE-2016-9840 severity critical: SUSE including 597 source package names (0.9.1:libz1-1.2.8-11.1, 1.0.0:libz1-1.2.8-11.1, …), 2838 product×package rows across 361 product lines (Container bci/kiwi, Container caasp/v4/default-http-backend, … (361 product lines)): Fixed 2499, Known Affected 226, Known Not Affected 113.	https://www.suse.com/security/cve/CVE-2016-9840/
`ubuntu`	low	CVE-2016-9840 low priority: Ubuntu including 4 source packages (klibc, rsync, zlib, zsync), 61 status rows across 23 suites (artful, bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, precise, questing, trusty, upstream, xenial, yakkety, zesty): released 28, not-affected 18, needs-triage 9, ignored 5, needed 1.	https://ubuntu.com/security/CVE-2016-9840

Affected software / configurations for CVE-2016-9840

Vendor	Product	Version	Raw CPE
boost	boost	< 1.78.0	cpe:2.3:a:boost:boost::::::::
zlib	zlib	>= 1.2.0.6, < 1.2.9	cpe:2.3:a:zlib:zlib::::::::
opensuse	leap	42.1	cpe:2.3:o:opensuse:leap:42.1:::::::*
opensuse	leap	42.2	cpe:2.3:o:opensuse:leap:42.2:::::::*
opensuse	opensuse	13.2	cpe:2.3:o:opensuse:opensuse:13.2:::::::*
debian	debian_linux	8.0	cpe:2.3:o:debian:debian_linux:8.0:::::::*
canonical	ubuntu_linux	16.04	cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
canonical	ubuntu_linux	18.04	cpe:2.3:o:canonical:ubuntu_linux:18.04::::esm:::
oracle	database_server	18c	cpe:2.3:a:oracle:database_server:18c:::::::*
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update161::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update151::::::
oracle	jdk	1.8.0	cpe:2.3:a:oracle:jdk:1.8.0:update144::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update161::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update151::::::
oracle	jre	1.8.0	cpe:2.3:a:oracle:jre:1.8.0:update144::::::
oracle	mysql	>= 5.5.0, <= 5.5.61	cpe:2.3:a:oracle:mysql::::::::
oracle	mysql	>= 5.6.0, <= 5.6.41	cpe:2.3:a:oracle:mysql::::::::
oracle	mysql	>= 5.7.0, <= 5.7.23	cpe:2.3:a:oracle:mysql::::::::
oracle	mysql	>= 8.0.0, <= 8.0.12	cpe:2.3:a:oracle:mysql::::::::
redhat	satellite	5.8	cpe:2.3:a:redhat:satellite:5.8:::::::*
redhat	enterprise_linux_desktop	6.0	cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
redhat	enterprise_linux_desktop	7.0	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
redhat	enterprise_linux_eus	7.4	cpe:2.3:o:redhat:enterprise_linux_eus:7.4:::::::*
redhat	enterprise_linux_eus	7.5	cpe:2.3:o:redhat:enterprise_linux_eus:7.5:::::::*
redhat	enterprise_linux_server	6.0	cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
redhat	enterprise_linux_server	7.0	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
redhat	enterprise_linux_workstation	6.0	cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
redhat	enterprise_linux_workstation	7.0	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
apple	iphone_os	< 11	cpe:2.3:o:apple:iphone_os::::::::
apple	mac_os_x	>= 10.0.0, < 10.13.0	cpe:2.3:o:apple:mac_os_x::::::::
apple	tvos	< 11.0	cpe:2.3:o:apple:tvos::::::::
apple	watchos	< 4	cpe:2.3:o:apple:watchos::::::::
nodejs	node.js	>= 4.0.0, <= 4.1.2	cpe:2.3:a:nodejs:node.js:::::-:::*
nodejs	node.js	>= 4.2.0, < 4.8.2	cpe:2.3:a:nodejs:node.js:::::lts:::*
nodejs	node.js	>= 6.0.0, <= 6.8.1	cpe:2.3:a:nodejs:node.js:::::-:::*
nodejs	node.js	>= 6.9.0, < 6.10.2	cpe:2.3:a:nodejs:node.js:::::lts:::*
nodejs	node.js	>= 7.0.0, < 7.6.0	cpe:2.3:a:nodejs:node.js:::::-:::*

References for CVE-2016-9840

URL	Tags
http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html	Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html	Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html	Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/12/05/21	Mailing List Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html	Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	Third Party Advisory
http://www.securityfocus.com/bid/95131	Broken Link
http://www.securitytracker.com/id/1039427	Broken Link
https://access.redhat.com/errata/RHSA-2017:1220	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1221	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1222	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2999	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3046	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3047	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3453	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1402345	Issue Tracking Third Party Advisory
https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/201701-56	Third Party Advisory
https://security.gentoo.org/glsa/202007-54	Third Party Advisory
https://support.apple.com/HT208112	Third Party Advisory
https://support.apple.com/HT208113	Third Party Advisory
https://support.apple.com/HT208115	Third Party Advisory
https://support.apple.com/HT208144	Third Party Advisory
https://usn.ubuntu.com/4246-1/	Third Party Advisory
https://usn.ubuntu.com/4292-1/	Third Party Advisory
https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib	Third Party Advisory
https://wiki.mozilla.org/images/0/09/Zlib-report.pdf	Broken Link
https://www.oracle.com/security-alerts/cpujul2020.html	Third Party Advisory

URL

CVE-2016-9840

Exploit prediction scoring system (EPSS) score for CVE-2016-9840

Common vulnerability scoring system (CVSS) metrics for CVE-2016-9840

Weakness enumeration for CVE-2016-9840

OS Trackers for CVE-2016-9840

Affected software / configurations for CVE-2016-9840

References for CVE-2016-9840