PatchSiren cyber security CVE debrief

CVE-2016-10141 Artifex CVE debrief

CVE-2016-10141 is a critical integer overflow in MuJS regular-expression emission code. According to the CVE record, a specially crafted regular expression with nested repetition can trigger the flaw in regemit() inside regexp.c, with potential outcomes including code execution or denial of service. The vulnerable range is MuJS versions before commit fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045.

Vendor: Artifex
Product: CVE-2016-10141
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-13
Original CVE updated: 2026-05-13
Advisory published: 2017-01-13
Advisory updated: 2026-05-13

Who should care

Organizations embedding MuJS or exposing MuJS-powered features to untrusted input should treat this as urgent, especially if users can submit or influence regular expressions. Security teams, product owners, and maintainers of browser-like, scripting, or document-processing components that rely on MuJS should prioritize review and upgrade planning.

Technical summary

The issue is a CWE-190 integer overflow in regemit() in regexp.c. The CVE description states that nested repetition in a regular expression can cause the overflow, which can then lead to a buffer overflow condition. NVD lists the vulnerability as remotely exploitable with no privileges or user interaction required (AV:N/AC:L/PR:N/UI:N) and a high-impact CVSS 3.1 score of 9.8. The vulnerable CPE range is MuJS before 2017-01-12 per NVD's version boundary data, and the supplied fix reference points to commit fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045.

Defensive priority

Immediate. This is a critical, network-exploitable memory corruption issue with potential code execution impact.

Recommended defensive actions

Upgrade MuJS to a release that includes commit fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045 or later.
Identify any applications or appliances that bundle MuJS, even if the library is not exposed directly.
Restrict or validate any feature that accepts attacker-controlled regular expressions until patched.
Add regression tests for nested-repetition regex cases and run security-focused fuzzing on regex parsing/emission paths.
If patching is not immediately possible, disable the affected regex functionality or remove exposure to untrusted input where feasible.

Evidence notes

Primary evidence comes from the CVE description and NVD metadata supplied in the corpus: the flaw is an integer overflow in regemit() in regexp.c, triggered by nested repetition in a regular expression, with impact described as code execution or denial of service. NVD classifies the weakness as CWE-190 and lists CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The reference list includes the MuJS git repository commit fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045, a SecurityFocus advisory, and a Ghostscript bug tracker entry.

Official resources

CVE-2016-10141 CVE record
CVE.org
CVE-2016-10141 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected] - Issue Tracking

CVE published on 2017-01-13. The supplied NVD record was last modified on 2026-05-13; that date reflects record maintenance, not the original disclosure date.