CVE-2016-9079

ENISA EUVD: EUVD-2016-9900 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 5, 2026 Published: 2018-06-11

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

84.81%

probability

This CVE has a 84.81% probability of being exploited in the next 30 days.

0% Top 99.4th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

7.5

HIGH

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2 (legacy)

5.0

MEDIUM

Access Vector

Network

Access Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Description

VulnerabilityLookup (CNA)

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows. This vulnerability affects Firefox < 50.0.2, Firefox ESR < 45.5.1, and Thunderbird < 45.5.1.

Affected Products

Mozilla

Firefox

unspecified

Mozilla

Firefox ESR

unspecified

Mozilla

Thunderbird

unspecified

debian

debian linux

redhat

enterprise linux

redhat

enterprise linux desktop

redhat

enterprise linux server

redhat

enterprise linux server aus

Mozilla

Thunderbird

unspecified <45.5.1

Mozilla

Firefox ESR

unspecified <45.5.1

Mozilla

Firefox

unspecified <50.0.2

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-416 · Use After Free CWE-664 · Improper Control of a Resource Through its Lifetime CWE-666 · Operation on Resource in Wrong Phase of Lifetime CWE-672 · Operation on a Resource after Expiration or Release CWE-825 · Expired Pointer Dereference

Google Project Zero

Discovered

Nov. 29, 2016

Patched

Nov. 30, 2016

Reported by

Obscured Team

Root Cause Analysis

???

Exploits & PoC

dangokyo/CVE-2016-9079

A demo exploit of CVE-2016-9079 on Ubuntu x64

7 2018-07-29

LakshmiDesai/CVE-2016-9079

CVE-2016-9079 exploit code as it appeared on https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html

1 2016-12-07

Tau-hub/Firefox-CVE-2016-9079

1 2021-10-08

3 repos — triés par ⭐ Rechercher sur GitHub ↗

https://www.debian.org/security/2016/dsa-3730

vendor-advisory x_refsource_DEBIAN

http://rhn.redhat.com/errata/RHSA-2016-2843.html

vendor-advisory x_refsource_REDHAT

https://security.gentoo.org/glsa/201701-35

vendor-advisory x_refsource_GENTOO

http://www.securitytracker.com/id/1037370

vdb-entry x_refsource_SECTRACK

https://www.exploit-db.com/exploits/42327/

exploit x_refsource_EXPLOIT-DB

http://rhn.redhat.com/errata/RHSA-2016-2850.html

vendor-advisory x_refsource_REDHAT

Signal Intelligence

Confidenceⓘ

95%

EPSS 84.81%

CVSS v3.1 7.5

Mentions 0

CNA Information

CNA Assigner

mozilla

Analyst Note

Auto-imported from Google Project Zero — confirmed zero-day by definition.

Triage Info

Decided atMar 05, 2026

Published DateJun 11, 2018