CVE-2016-9956 Fedoraproject CVE debrief

Who should care

FlightGear users and administrators, downstream distro maintainers, and security teams responsible for desktop or simulation software packages. Prioritize systems running FlightGear 2016.4.3 or earlier, including downstream builds that may need backported fixes.

Technical summary

The vulnerable component is FlightGear’s route manager. According to the CVE description, a remote attacker can supply a crafted Nasal script that causes arbitrary file writes, indicating an authorization/control failure in how the route manager handles script-driven file operations. NVD maps the issue to CWE-284 (Improper Access Control) and lists affected FlightGear versions through 2016.4.3.

Defensive priority

High: this is a network-exploitable, unauthenticated arbitrary file-write issue with direct integrity impact, and a fixed release is already identified.

Recommended defensive actions

• Upgrade FlightGear to 2016.4.4 or a vendor-fixed downstream build.
• Apply the relevant distro advisories and package updates referenced by NVD, including Debian and Fedora package announcements where applicable.
• Verify whether any local or bundled Nasal content is trusted and restrict script loading to approved sources.
• Review file-integrity monitoring and check for unexpected changes in FlightGear-managed or adjacent writable paths.
• If you cannot patch immediately, isolate affected installations and minimize exposure to untrusted script input.

Evidence notes

The supplied NVD record lists FlightGear versions through 2016.4.3 as vulnerable and ties the weakness to CWE-284 with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The reference set includes Debian Security Advisory DSA-3742, oss-security patch discussion threads from 2016-12-14, 2016-12-15, and 2016-12-16, Fedora package announcements, and the FlightGear release/patch references cited by NVD. The CVE record was published on 2017-02-22 and later modified by NVD on 2026-05-13.

Official resources