CVE-2016-9132 Botan Project CVE debrief

Who should care

Developers and operators of applications that embed Botan, especially software that decodes BER-encoded data from untrusted sources and any code that uses the returned length value in later memory operations.

Technical summary

The NVD record describes a CWE-190 integer overflow in Botan's BER decoding path. For versions 1.8.0 through 1.11.33, malformed input can lead to an incorrect length field being computed. The risk is not limited to the decoder itself: any API caller that consumes that returned length without robust validation may later perform unsafe memory handling, which can cascade into corruption or process failure.

Defensive priority

Critical — patch immediately, especially on systems that parse attacker-controlled BER input.

Recommended defensive actions

• Inventory all products and services that link against Botan and confirm whether they decode BER data.
• Upgrade to a Botan release that includes the upstream fix referenced by commit 987ad747db6d0d7e36f840398f3cf02e2fbfd90f.
• Treat any use of BER parsing on untrusted input as high risk until patched.
• Audit callers that rely on decoded length fields and add explicit bounds validation before any memory-sensitive use.
• Prioritize remediation for internet-facing or remotely reachable services.
• Track downstream vendor package advisories, including the Fedora package announcements linked in the record, for packaged fixes.

Evidence notes

The supplied NVD record states that Botan 1.8.0 through 1.11.33 are affected and that an integer overflow during BER decoding can produce an incorrect length field. NVD classifies the weakness as CWE-190 and assigns CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The CVE was published on 2017-01-30T22:59:00.827Z and later modified on 2026-05-13T00:24:29.033Z; use the publication date for disclosure timing. The corpus also includes the upstream Botan patch commit and third-party/package advisories.

Official resources