CVE-2016-9842: High severity Apple tvOS vulnerability
Published Dec 7, 2016
·Updated
Last updated 11 July 2025
Other sources
The C standard says that bit shifts of negative integers is undefined.
External References:
https://wiki.mozilla.org/images/0/09/Zlib-report.pdf https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit#heading=h.t13tvnx4loq7
Upstream patches:
https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958 https://github.com/madler/zlib/commit/2edb94a3025d288dc251bc6cbb2c02e60fbd7438
CVE assignment:
http://seclists.org/oss-sec/2016/q4/602
— Red Hat
The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.
— Launchpad
zlib. Multiple issues were addressed by updating to version 1.2.11.
Credit
CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843
Affected Software
45 affected componentsFixes available
redhat/zlib<1.2.9
1.2.9
Apple tvOS<11
11
Apple macOS High Sierra<10.13
10.13
Apple WatchOS<4
4
Apple iOS<11
11
GNU Zlib>=1.2.3.4<1.2.9
openSUSE Leap=42.1
openSUSE Leap=42.2
openSUSE openSUSE=13.2
Debian Debian Linux=8.0
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=18.04
Oracle Database Server=18c
Oracle JDK=1.6.0-update161
Oracle JDK=1.7.0-update151
Oracle JDK=1.8.0-update144
Oracle JRE=1.6.0-update161
Oracle JRE=1.7.0-update151
Oracle JRE=1.8.0-update144
Oracle MySQL>=5.5.0<=5.5.61
Oracle MySQL>=5.6.0<=5.6.41
Oracle MySQL>=5.7.0<=5.7.23
Oracle MySQL>=8.0.0<=8.0.12
redhat Satellite=5.8
redhat Enterprise Linux Desktop=6.0
redhat Enterprise Linux Desktop=7.0
redhat Enterprise Linux Eus=7.4
redhat Enterprise Linux Eus=7.5
redhat Enterprise Linux Server=6.0
redhat Enterprise Linux Server=7.0
redhat Enterprise Linux Workstation=6.0
redhat Enterprise Linux Workstation=7.0
Apple iPhone OS<11
Apple iOS and macOS>=10.0.0<10.13.0
Apple tvOS<11.0
Apple WatchOS<4
Nodejs Node.js>=4.0.0<=4.1.2
Nodejs Node.js>=4.2.0<4.8.2
Nodejs Node.js>=6.0.0<=6.8.1
Nodejs Node.js>=6.9.0<6.10.2
Nodejs Node.js>=7.0.0<7.6.0
zlib zlib>=1.2.3.4<1.2.9
Canonical Ubuntu Linux=18.04
debian/rsync
3.2.3-4+deb11u13.2.3-4+deb11u33.2.7-1+deb12u43.2.7-1+deb12u23.4.1+ds1-5+deb13u13.4.1+ds1-7
debian/zlib
1:1.2.11.dfsg-2+deb11u21:1.2.13.dfsg-11:1.3.dfsg+really1.3.1-11:1.3.dfsg+really1.3.1-3
Remediation
Patch Available
Patch Available
Event History
May 23, 2017
CVE Published
via MITRE·03:56 AM
Data Sourced
via MITRE·03:56 AM
Description
Data Sourced
via NVD·04:29 AM
RemedyDescriptionSeverityWeaknessAffected Software
Jan 11, 2024
Data Sourced
via Launchpad·10:23 PM
Description
Dec 4, 2025
Data Sourced
via Ubuntu·04:49 PM
RemedyDescriptionSeverityAffected Software
Feb 19, 2026
Data Sourced
via Debian·07:18 PM
DescriptionAffected Software
Parent advisories
This vulnerability appears in the following advisories.
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2017-13832
- CVE-2017-13829
- CVE-2017-13833
- CVE-2017-7083
- CVE-2017-0381
- CVE-2017-13825
- CVE-2017-13815
- CVE-2017-13828
- CVE-2017-13830
- CVE-2017-13814
- CVE-2017-13831
- CVE-2017-13817
- CVE-2017-13818
- CVE-2017-13836
- CVE-2017-13841
- CVE-2017-13840
- CVE-2017-13842
- CVE-2017-13782
- CVE-2017-13843
- CVE-2017-7114
- CVE-2017-13854
- CVE-2017-13834
- CVE-2017-13873
- CVE-2017-13813
- CVE-2017-13816
- CVE-2017-13812
- CVE-2017-7086
- CVE-2017-1000373
- CVE-2016-9063
- CVE-2017-9233
- CVE-2017-9049
- CVE-2017-5130
- CVE-2017-7376
- CVE-2017-9050
- CVE-2017-13822
- CVE-2017-7080
- CVE-2017-10989
- CVE-2017-7128
- CVE-2017-7129
- CVE-2017-7130
- CVE-2017-7127
- CVE-2017-7081
- CVE-2017-7087
- CVE-2017-7091
- CVE-2017-7092
- CVE-2017-7093
- CVE-2017-7094
- CVE-2017-7095
- CVE-2017-7096
- CVE-2017-7098
- CVE-2017-7099
- CVE-2017-7100
- CVE-2017-7102
- CVE-2017-7104
- CVE-2017-7107
- CVE-2017-7111
- CVE-2017-7117
- CVE-2017-7120
- CVE-2017-7090
- CVE-2017-7109
- CVE-2017-11120
- CVE-2017-11121
- CVE-2017-7103
- CVE-2017-7105
- CVE-2017-7108
- CVE-2017-7110
- CVE-2017-7112
- CVE-2017-7115
- CVE-2017-7116
- CVE-2017-11122
- CVE-2016-9840
- CVE-2016-9841
- CVE-2016-9842
- CVE-2016-9843
- CVE-2016-0736
- CVE-2016-2161
- CVE-2016-5387
- CVE-2016-8740
- CVE-2016-8743
- CVE-2017-13909
- CVE-2017-13809
- CVE-2017-7084
- CVE-2017-7074
- CVE-2017-13820
- CVE-2017-13807
- CVE-2017-7143
- CVE-2017-13821
- CVE-2017-13890
- CVE-2017-13851
- CVE-2017-7138
- CVE-2017-7121
- CVE-2017-7122
- CVE-2017-7123
- CVE-2017-7124
- CVE-2017-7125
- CVE-2017-7126
- CVE-2017-13811
- CVE-2017-13835
- CVE-2017-11103
- CVE-2017-13819
- CVE-2017-13837
- CVE-2017-13906
- CVE-2017-7077
- CVE-2017-7119
- CVE-2017-13810
- CVE-2017-13827
- CVE-2016-4736
- CVE-2018-4302
- CVE-2017-7141
- CVE-2017-7078
- CVE-2017-6451
- CVE-2017-6452
- CVE-2017-6455
- CVE-2017-6458
- CVE-2017-6459
- CVE-2017-6460
- CVE-2017-6462
- CVE-2017-6463
- CVE-2017-6464
- CVE-2016-9042
- CVE-2017-13824
- CVE-2017-13846
- CVE-2017-10140
- CVE-2017-7132
- CVE-2017-13823
- CVE-2017-13808
- CVE-2017-13838
- CVE-2017-7082
- CVE-2017-13908
- CVE-2017-13839
- CVE-2017-13910
- CVE-2017-13863
- CVE-2017-7131
- CVE-2017-7088
- CVE-2017-7072
- CVE-2017-7140
- CVE-2017-7148
- CVE-2017-7097
- CVE-2017-7118
- CVE-2017-7133
- CVE-2017-7075
- CVE-2017-7139
- CVE-2017-13806
- CVE-2017-7085
- CVE-2017-13877
- CVE-2017-7146
- CVE-2017-6211
- CVE-2017-7145
- CVE-2017-7089
- CVE-2017-7106
- CVE-2017-7144
- CVE-2017-7142