PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-9436 Opensuse CVE debrief

CVE-2016-9436 describes a denial-of-service flaw in w3m's tag parsing code. A crafted HTML file can trigger improper value initialization in parsetagx.c, which may crash the application when the affected content is opened. NVD rates the issue as medium severity, with no confidentiality or integrity impact but high availability impact and a user-interaction requirement.

Vendor
Opensuse
Product
CVE-2016-9436
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-20
Original CVE updated
2026-05-13
Advisory published
2017-01-20
Advisory updated
2026-05-13

Who should care

Security teams and administrators who deploy w3m, especially on systems that open untrusted HTML content. Distribution maintainers and package owners for affected w3m builds and the openSUSE Leap packages listed by NVD should also confirm they have the fix applied.

Technical summary

The vulnerability is described as improper initialization in parsetagx.c in w3m, related to an <i> tag. According to the NVD vector, the issue is network-reachable, requires user interaction, and results in a crash/availability loss rather than data disclosure or tampering (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). The NVD weakness classification is CWE-20. The corpus also shows a version-range detail: the CVE description says w3m before 0.5.3+git20161009, while the NVD CPE criteria list vulnerable w3m builds ending at 0.5.3+git20160718.

Defensive priority

Medium. Patch promptly if w3m is used to render content from untrusted or externally supplied sources, because the impact is a crash and the trigger involves a simple crafted HTML file opened by a user.

Recommended defensive actions

  • Verify the installed w3m version against the fixed builds referenced in vendor and upstream advisories.
  • Apply the relevant package update from your distribution or upstream w3m maintenance channel.
  • Treat untrusted HTML as unsafe input for w3m workflows and limit where users can open external content.
  • If you manage affected openSUSE Leap systems, confirm the package advisory has been applied.
  • Review crash logs or application failures around HTML rendering to identify potentially affected hosts.

Evidence notes

The CVE description and NVD data agree that the issue is a parsing bug in w3m leading to a crash from crafted HTML. The GitHub commit referenced by NVD is the patch record, and the GitHub issue and third-party advisories corroborate the fix. The corpus contains a version-range mismatch: the textual CVE description says before 0.5.3+git20161009, while NVD's vulnerable CPE criteria end at 0.5.3+git20160718. NVD also lists openSUSE Leap 42.1 and 42.2 as vulnerable alongside tats:w3m.

Official resources

Publicly disclosed in the CVE record on 2017-01-20. The NVD record was later modified on 2026-05-13; that later modification is record maintenance, not the original disclosure date.