PatchSiren cyber security CVE debrief

CVE-2016-9051 Aerospike CVE debrief

CVE-2016-9051 describes a critical out-of-bounds write in Aerospike Database Server 3.10.0.3 during batch transaction field parsing. Per the CVE description and NVD metadata, a specially crafted network packet can trigger memory corruption without authentication, creating a credible risk of remote code execution. The affected CPE in NVD is Aerospike Database Server 3.10.0.3.

Vendor: Aerospike
Product: CVE-2016-9051
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-21
Original CVE updated: 2026-05-13
Advisory published: 2017-02-21
Advisory updated: 2026-05-13

Who should care

Administrators, security teams, and application owners running Aerospike Database Server 3.10.0.3, especially if the service is reachable over the network. Exposure is most concerning for systems that accept untrusted client connections or are otherwise broadly accessible.

Technical summary

NVD records the weakness as CWE-787 (out-of-bounds write) with a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a network-triggerable flaw with no privileges or user interaction required. The vulnerability is in batch transaction field parsing, and the published description states that a crafted packet can cause an out-of-bounds write leading to memory corruption and possible remote code execution.

Defensive priority

Immediate. Because the issue is network exploitable, unauthenticated, and rated Critical (9.8), exposed Aerospike 3.10.0.3 instances should be prioritized for urgent remediation or isolation.

Recommended defensive actions

Identify any Aerospike Database Server deployments and confirm whether version 3.10.0.3 is in use.
Restrict network access to Aerospike services to trusted hosts and segments until remediation is complete.
Apply vendor guidance or upgrade to a non-vulnerable Aerospike release if available through official Aerospike/Talos-linked remediation references.
Monitor for unusual crashes, memory corruption symptoms, or unexpected service restarts on affected hosts.
Validate exposure in external-facing and internally reachable environments, since the vulnerability is triggerable over the network without authentication.

Evidence notes

The debrief is based on the CVE description, NVD metadata, and the CVE/NVD record provided in the source corpus. Supported facts include the affected product/version (Aerospike Database Server 3.10.0.3), weakness class (CWE-787), network reachability, lack of privileges/user interaction, and Critical CVSS 9.8. The NVD references list a Talos technical advisory and a SecurityFocus entry, but the SecurityFocus URL is marked broken in the source metadata and the Talos URL was not dereferenced here.

Official resources

CVE-2016-9051 CVE record
CVE.org
CVE-2016-9051 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Broken Link, Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Patch, Technical Description, Third Party Advisory, VDB Entry

Published by CVE/NVD on 2017-02-21 22:59:00.197Z. NVD metadata shows the record was modified on 2026-05-13 00:24:29.033Z.