CVE-2016-6866 Fedoraproject CVE debrief

Who should care

Administrators and users of suckless slock deployments, especially systems running vulnerable packaged builds such as the Fedora 24 and 25 references in the corpus.

Technical summary

NVD classifies the issue as CWE-476 (NULL pointer dereference) with CVSS 3.0 7.5/HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The affected CPE range includes suckless slock through version 1.3, and the supplied references point to upstream patch/advisory material, mailing list disclosure, and Fedora package announcements. The core security concern is that malformed authentication input can cause slock to crash and undermine the intended screen-lock behavior.

Defensive priority

High

Recommended defensive actions

• Review whether any system uses suckless slock or a distribution package built from vulnerable sources.
• Apply the upstream fix referenced by the vendor commit and install any distribution updates that incorporate it.
• Confirm that patched builds still enforce the lock screen correctly after update.
• Inventory Fedora 24/25 systems or other packaged deployments that may include the affected slock version range.
• Treat repeated lock-screen crashes as a security incident and validate package provenance before redeployment.

Evidence notes

The supplied corpus includes the official CVE record, the NVD detail page, an upstream slock commit tagged as a patch/vendor advisory, an external advisory, Openwall disclosure threads, SecurityFocus, and Fedora package announcements. NVD lists CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and CWE-476. The public reference material in the corpus dates to 2016-08-18, while the CVE publication date is 2017-02-15. No KEV entry is present in the supplied enrichment.

Official resources