PatchSiren cyber security CVE debrief

CVE-2016-9049 Aerospike CVE debrief

CVE-2016-9049 describes a high-severity denial-of-service issue in Aerospike Database Server 3.10.0.3. According to the NVD record, an attacker can trigger a null pointer dereference in the fabric-worker component by connecting to a TCP port and sending a specially crafted packet, which can crash the server process and disrupt availability.

Vendor: Aerospike
Product: CVE-2016-9049
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-21
Original CVE updated: 2026-05-13
Advisory published: 2017-02-21
Advisory updated: 2026-05-13

Who should care

Organizations running Aerospike Database Server 3.10.0.3, especially if the service is reachable from untrusted networks. Security and operations teams responsible for database availability should prioritize validation and remediation.

Technical summary

NVD classifies the issue as CWE-476 (NULL Pointer Dereference) with CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerable CPE entry in NVD is aerospike:database_server:3.10.0.3. The attack is network-based, requires no privileges or user interaction, and affects availability only. NVD references a Talos advisory for technical description and patch context.

Defensive priority

High for any exposed deployment of Aerospike Database Server 3.10.0.3. Because the issue is remotely triggerable without authentication and can take down the server process, exposed systems should be treated as urgent availability risks.

Recommended defensive actions

Confirm whether Aerospike Database Server 3.10.0.3 is deployed anywhere in your environment.
Determine whether the affected TCP service is reachable from untrusted networks and restrict exposure if needed.
Review the vendor/Talos advisory referenced by NVD and apply the available fix or mitigation guidance.
If immediate patching is not possible, place compensating network controls in front of the service to reduce attack surface.
Monitor Aerospike instances for unexpected crashes, restarts, or availability degradation.
Update internal asset and vulnerability records to reflect the affected version and exposure status.

Evidence notes

The NVD record identifies the vulnerable product as Aerospike Database Server 3.10.0.3 and gives CVSS v3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H with CWE-476. NVD references include a Talos advisory URL labeled with exploit, patch, and technical description tags, plus a SecurityFocus BID entry. One SecurityFocus reference is marked broken in the supplied metadata, so the NVD and CVE.org records are the most reliable anchors in this corpus.

Official resources

CVE-2016-9049 CVE record
CVE.org
CVE-2016-9049 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Broken Link, Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Patch, Technical Description, Third Party Advisory, VDB Entry

Published by NVD/CVE on 2017-02-21; last modified in the supplied source on 2026-05-13. This debrief uses the CVE publication date for timing context, not generation or review time.