CVE-2016-9841 [Critical] | Security Vulnerability in Zlib

CVE-2016-9841 is rated High Risk (67/100): CVSS Critical severity, with high exploitation likelihood (EPSS 7.49%, 94th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. High exploitation likelihood—assess exposure and prioritize remediation.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	19.18%	7.49%	-11.69%
2	2026-06-06	23.61%	19.18%	-4.43%
3	2026-06-05	—	23.61%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

19.18%

7.49%

-11.69%

2026-06-06

23.61%

19.18%

-4.43%

2026-06-05

—

23.61%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
9.8	3.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	5.9	[email protected]
7.5	2.0	HIGH	`AV:N/AC:L/Au:N/C:P/I:P/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:P) Partial availability impact.	10.0	6.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

9.8

3.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

5.9

[email protected]

7.5

2.0

HIGH

AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:P): Partial availability impact.

10.0

6.4

[email protected]

OS Trackers for CVE-2016-9841

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2016-9841 not yet assigned priority: Debian including 2 source packages (rsync, zlib), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 10.	https://security-tracker.debian.org/tracker/CVE-2016-9841
`gentoo`	normal	CVE-2016-9841: 2 GLSA(s) (201701-56, 202007-54), 2 atom(s) (net-misc/rsync, sys-libs/zlib); latest impact normal.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2016-9841
`redhat`	low	—	https://access.redhat.com/security/cve/CVE-2016-9841
`suse`	critical	CVE-2016-9841 severity critical: SUSE including 198 source package names (0.9.1:libz1-1.2.8-11.1, 1.0.0:libz1-1.2.8-11.1, …), 518 product×package rows across 88 product lines (Container caasp/v4/default-http-backend, Container caasp/v4/dnsmasq-nanny, … (88 product lines)): Fixed 405, Known Not Affected 113.	https://www.suse.com/security/cve/CVE-2016-9841/
`ubuntu`	low	CVE-2016-9841 low priority: Ubuntu including 4 source packages (klibc, rsync, zlib, zsync), 61 status rows across 23 suites (artful, bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, precise, questing, trusty, upstream, xenial, yakkety, zesty): released 28, not-affected 18, needs-triage 9, ignored 5, needed 1.	https://ubuntu.com/security/CVE-2016-9841

Affected software / configurations for CVE-2016-9841

Vendor	Product	Version	Raw CPE
zlib	zlib	>= 1.2.0, < 1.2.9	cpe:2.3:a:zlib:zlib::::::::
opensuse	leap	42.1	cpe:2.3:o:opensuse:leap:42.1:::::::*
opensuse	leap	42.2	cpe:2.3:o:opensuse:leap:42.2:::::::*
opensuse	opensuse	13.2	cpe:2.3:o:opensuse:opensuse:13.2:::::::*
debian	debian_linux	8.0	cpe:2.3:o:debian:debian_linux:8.0:::::::*
canonical	ubuntu_linux	16.04	cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
canonical	ubuntu_linux	18.04	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
oracle	database_server	18c	cpe:2.3:a:oracle:database_server:18c:::::::*
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update161::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update151::::::
oracle	jdk	1.8.0	cpe:2.3:a:oracle:jdk:1.8.0:update144::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update161::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update151::::::
oracle	jre	1.8.0	cpe:2.3:a:oracle:jre:1.8.0:update144::::::
oracle	mysql	>= 5.5.0, <= 5.5.61	cpe:2.3:a:oracle:mysql::::::::
oracle	mysql	>= 5.6.0, <= 5.6.41	cpe:2.3:a:oracle:mysql::::::::
oracle	mysql	>= 5.7.0, <= 5.7.23	cpe:2.3:a:oracle:mysql::::::::
oracle	mysql	>= 8.0.0, <= 8.0.12	cpe:2.3:a:oracle:mysql::::::::
redhat	satellite	5.8	cpe:2.3:a:redhat:satellite:5.8:::::::*
redhat	enterprise_linux_desktop	6.0	cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
redhat	enterprise_linux_desktop	7.0	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
redhat	enterprise_linux_eus	7.4	cpe:2.3:o:redhat:enterprise_linux_eus:7.4:::::::*
redhat	enterprise_linux_eus	7.5	cpe:2.3:o:redhat:enterprise_linux_eus:7.5:::::::*
redhat	enterprise_linux_server	6.0	cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
redhat	enterprise_linux_server	7.0	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
redhat	enterprise_linux_workstation	6.0	cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
redhat	enterprise_linux_workstation	7.0	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
apple	iphone_os	< 11	cpe:2.3:o:apple:iphone_os::::::::
apple	mac_os_x	>= 10.0.0, < 10.13.0	cpe:2.3:o:apple:mac_os_x::::::::
apple	tvos	< 11.0	cpe:2.3:o:apple:tvos::::::::
apple	watchos	< 4	cpe:2.3:o:apple:watchos::::::::
netapp	active_iq_unified_manager	>= 7.3	cpe:2.3:a:netapp:active_iq_unified_manager::::::windows::*
netapp	active_iq_unified_manager	>= 9.5	cpe:2.3:a:netapp:active_iq_unified_manager::::::vmware_vsphere::*
netapp	cloud_backup	—	cpe:2.3:a:netapp:cloud_backup:-:::::::*
netapp	e-series_santricity_management	—	cpe:2.3:a:netapp:e-series_santricity_management:-:::::vmware_sra::
netapp	e-series_santricity_management	—	cpe:2.3:a:netapp:e-series_santricity_management:-:::::vmware_vasa::
netapp	e-series_santricity_management	—	cpe:2.3:a:netapp:e-series_santricity_management:-:::::vmware_vcenter::
netapp	e-series_santricity_os_controller	>= 11.0.0, <= 11.70.1	cpe:2.3:a:netapp:e-series_santricity_os_controller::::::::
netapp	e-series_santricity_storage_manager	—	cpe:2.3:a:netapp:e-series_santricity_storage_manager:-:::::::*
netapp	e-series_santricity_web_services	—	cpe:2.3:a:netapp:e-series_santricity_web_services:-:::::web_services_proxy::
netapp	oncommand_balance	—	cpe:2.3:a:netapp:oncommand_balance:-:::::::*
netapp	oncommand_insight	—	cpe:2.3:a:netapp:oncommand_insight:-:::::::*
netapp	oncommand_performance_manager	—	cpe:2.3:a:netapp:oncommand_performance_manager:-:::::vmware_vsphere::
netapp	oncommand_shift	—	cpe:2.3:a:netapp:oncommand_shift:-:::::::*
netapp	oncommand_unified_manager	<= 7.1	cpe:2.3:a:netapp:oncommand_unified_manager::::::vsphere::*
netapp	oncommand_unified_manager	<= 7.1	cpe:2.3:a:netapp:oncommand_unified_manager::::::windows::*
netapp	oncommand_unified_manager	—	cpe:2.3:a:netapp:oncommand_unified_manager:-:::::7-mode::
netapp	oncommand_workflow_automation	—	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
netapp	snapmanager	—	cpe:2.3:a:netapp:snapmanager:-:::::oracle::
netapp	snapmanager	—	cpe:2.3:a:netapp:snapmanager:-:::::sap::
netapp	solidfire	—	cpe:2.3:a:netapp:solidfire:-:::::::*
netapp	steelstore_cloud_integrated_storage	—	cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:::::::*
netapp	storage_replication_adapter_for_clustered_data_ontap	—	cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap:-:::::vmware_vsphere::
netapp	symantec_netbackup	—	cpe:2.3:a:netapp:symantec_netbackup:-:::::::*
netapp	vasa_provider_for_clustered_data_ontap	>= 7.2	cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap::::::::
netapp	virtual_storage_console	—	cpe:2.3:a:netapp:virtual_storage_console:-:::::vmware_vsphere::
netapp	hci_storage_node	—	cpe:2.3:h:netapp:hci_storage_node:-:::::::*
nodejs	node.js	>= 4.0.0, <= 4.1.2	cpe:2.3:a:nodejs:node.js:::::-:::*
nodejs	node.js	>= 4.2.0, < 4.8.2	cpe:2.3:a:nodejs:node.js:::::lts:::*
nodejs	node.js	>= 6.0.0, <= 6.8.1	cpe:2.3:a:nodejs:node.js:::::-:::*
nodejs	node.js	>= 6.9.0, < 6.10.2	cpe:2.3:a:nodejs:node.js:::::lts:::*
nodejs	node.js	>= 7.0.0, < 7.6.0	cpe:2.3:a:nodejs:node.js:::::-:::*

References for CVE-2016-9841

URL	Tags
http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html
http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html
http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html
http://www.openwall.com/lists/oss-security/2016/12/05/21
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/95131
http://www.securitytracker.com/id/1039427
http://www.securitytracker.com/id/1039596
https://access.redhat.com/errata/RHSA-2017:1220
https://access.redhat.com/errata/RHSA-2017:1221
https://access.redhat.com/errata/RHSA-2017:1222
https://access.redhat.com/errata/RHSA-2017:2999
https://access.redhat.com/errata/RHSA-2017:3046
https://access.redhat.com/errata/RHSA-2017:3047
https://access.redhat.com/errata/RHSA-2017:3453
https://bugzilla.redhat.com/show_bug.cgi?id=1402346
https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb
https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html
https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html
https://security.gentoo.org/glsa/201701-56
https://security.gentoo.org/glsa/202007-54
https://security.netapp.com/advisory/ntap-20171019-0001/
https://support.apple.com/HT208112
https://support.apple.com/HT208113
https://support.apple.com/HT208115
https://support.apple.com/HT208144
https://usn.ubuntu.com/4246-1/
https://usn.ubuntu.com/4292-1/
https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib
https://wiki.mozilla.org/images/0/09/Zlib-report.pdf
https://www.oracle.com/security-alerts/cpujul2020.html

URL

CVE-2016-9841

Exploit prediction scoring system (EPSS) score for CVE-2016-9841

Common vulnerability scoring system (CVSS) metrics for CVE-2016-9841

Weakness enumeration for CVE-2016-9841

OS Trackers for CVE-2016-9841

Affected software / configurations for CVE-2016-9841

References for CVE-2016-9841