PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-7567 Openslp CVE debrief

CVE-2016-7567 is a critical memory-corruption flaw in OpenSLP 2.0.0. NVD describes it as a buffer overflow in the SLPFoldWhiteSpace function in common/slp_compare.c, with remote attackers able to trigger unspecified impact using a crafted string. Because the issue is network-reachable and rated CVSS 9.8, it should be treated as an urgent patching priority for any environment that still runs the affected OpenSLP version.

Vendor
Openslp
Product
CVE-2016-7567
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-23
Original CVE updated
2026-05-13
Advisory published
2017-01-23
Advisory updated
2026-05-13

Who should care

Administrators and security teams responsible for systems that include OpenSLP 2.0.0, especially if the service is exposed on networks where untrusted hosts can send SLP traffic. Asset owners, vulnerability management teams, and anyone validating legacy Linux/Unix software stacks should prioritize this CVE.

Technical summary

The NVD entry maps the vulnerability to OpenSLP 2.0.0 and CWE-119, indicating a classic buffer-overflow weakness in string-handling logic. The affected function is SLPFoldWhiteSpace in common/slp_compare.c. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which reflects a remotely reachable issue with potentially severe confidentiality, integrity, and availability impact.

Defensive priority

Critical. The combination of network attack vector, no privileges required, no user interaction, and high CVSS impact makes this a high-priority remediation item for exposed or legacy OpenSLP deployments.

Recommended defensive actions

  • Inventory hosts that contain OpenSLP and confirm whether version 2.0.0 is present.
  • Apply the upstream fix or vendor-provided update referenced by the OpenSLP project and downstream advisories.
  • If immediate patching is not possible, reduce exposure by restricting network access to SLP services at host and perimeter controls.
  • Validate whether OpenSLP is actually required; remove or disable it on systems that do not need the service.
  • Use vulnerability management scans and configuration checks to verify remediation across all endpoints and servers.

Evidence notes

This debrief is based on the official CVE and NVD records supplied in the corpus. The NVD entry identifies the affected component as OpenSLP 2.0.0, the weakness as CWE-119, and the CVSS vector as 9.8 critical. The reference set includes upstream OpenSLP mailing-list posts dated 2016-09-27 and 2016-09-28, which supports that the issue was discussed before the CVE publication date of 2017-01-23. A SourceForge revision and downstream advisories are also listed in NVD.

Official resources

The CVE record was published on 2017-01-23, with upstream OpenSLP mailing-list references from late September 2016 indicating earlier public discussion. NVD metadata was later modified on 2026-05-13; that date reflects record maintenance,不是