CVE-2016-9108 Fedoraproject CVE debrief

Who should care

Teams running MuJS or systems that package MuJS, especially Fedora 23/24/25-era deployments and any application that evaluates untrusted regular expressions through MuJS.

Technical summary

The issue is classified as CWE-190 (integer overflow). According to the supplied NVD record, the vulnerable path is js_regcomp in regexp.c, where a crafted regular expression can trigger an overflow and crash the process. The impact reported in the corpus is denial of service only (availability loss), with no confidentiality or integrity impact in the CVSS vector.

Defensive priority

High

Recommended defensive actions

• Upgrade MuJS to a version that includes commit b6de34ac6d8bb7dd5461c57940acfbd3ee7fd93e or later.
• If you consume MuJS through a Linux distribution package, apply the vendor or distro advisory referenced in the record and verify the fixed package version.
• Inventory any applications that accept untrusted regular expressions or regex-like input through MuJS and prioritize them for patching.
• Validate runtime stability after remediation by testing normal regex parsing paths in staging rather than production.
• Track the linked Red Hat bug and Fedora package announcement references for packaging-specific guidance and backport status.

Evidence notes

The core technical details come from the supplied NVD record: CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, CWE-190, and the vulnerable scope in MuJS before commit b6de34ac6d8bb7dd5461c57940acfbd3ee7fd93e. The corpus also includes an earlier public disclosure reference on 2016-10-30 via the oss-security mailing list, plus Red Hat Bugzilla and Fedora package-announce references for downstream tracking. Use the CVE published date of 2017-02-03 for record timing and treat 2026-05-13 only as the NVD modification date, not as the vulnerability date.

Official resources