PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-9109 Artifex CVE debrief

CVE-2016-9109 is a denial-of-service vulnerability in Artifex Software MuJS. According to the CVE record, attackers can trigger a crash through incomplete escape sequence handling, and the issue exists because a prior fix for CVE-2016-7563 was incomplete. The NVD assigns CWE-125 and a CVSS 3.0 score of 7.5, reflecting high availability impact with no confidentiality or integrity impact.

Vendor
Artifex
Product
CVE-2016-9109
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-18
Original CVE updated
2026-05-13
Advisory published
2017-01-18
Advisory updated
2026-05-13

Who should care

Organizations that embed or distribute MuJS, especially product teams, downstream package maintainers, and security teams responsible for JavaScript engine updates in shipped software, should care most. Any service that processes untrusted content through MuJS should treat this as a crash-risk issue.

Technical summary

The NVD record classifies this as CWE-125 (out-of-bounds read) and rates it CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The public description ties the crash to incomplete escape sequence vectors and notes that the vulnerability stems from an incomplete remediation of CVE-2016-7563. The available corpus does not provide a fixed version number, exploit mechanics, or vendor patch details.

Defensive priority

High for availability-sensitive deployments that use MuJS to parse attacker-controlled input. While this is not a code-execution issue in the supplied record, a remote crash in a library embedded in exposed services can still be operationally significant.

Recommended defensive actions

  • Inventory all products and packages that bundle or depend on MuJS.
  • Check vendor and downstream advisories referenced by the CVE record for the applicable fixed release or patch.
  • Apply the vendor remediation for the incomplete escape-sequence handling issue as soon as it is available in your distribution.
  • Retest any input paths that exercise escape-sequence parsing to confirm the crash is no longer reachable.
  • If immediate patching is not possible, reduce exposure by limiting untrusted input to MuJS-based components until remediation is deployed.

Evidence notes

This debrief is based only on the supplied CVE/NVD corpus. The CVE description explicitly says the issue is a denial of service caused by vectors related to incomplete escape sequences and that it exists due to an incomplete fix for CVE-2016-7563. The NVD metadata lists MuJS as the vulnerable CPE, CWE-125 as the weakness, and CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The record was published on 2017-01-18 and later modified on 2026-05-13; the later modification date is not treated as the issue date.

Official resources

Publicly disclosed on 2017-01-18. The supplied corpus shows a later NVD modification on 2026-05-13, which should not be treated as the original disclosure date. No KEV listing is indicated in the provided data.