CVE-2016-0034
CVE-2016-0034 is a high-severity vulnerability in Microsoft Silverlight with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-05-25).
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v2: 9.3
- EPSS exploit prediction: 70% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-05-25)
- EU (EUVD) id: EUVD-2016-0072
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-05-25)
- Affected product: Microsoft Silverlight
- Published:
- Last modified:
Description
Microsoft Silverlight 5 before 5.1.41212.0 mishandles negative offsets during decoding, which allows remote attackers to execute arbitrary code or cause a denial of service (object-header corruption) via a crafted web site, aka "Silverlight Runtime Remote Code Execution Vulnerability."
CVE-2016-0034: Silverlight Remote Code Execution via Decoding Offset Mishandling
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2016-0034 is a memory-corruption vulnerability in Microsoft Silverlight 5. A decoding routine fails to properly handle negative offset values, which can corrupt an object header when parsing malicious content. This condition can be leveraged by an attacker to execute arbitrary code in the context of the logged-on user or to crash the application.
Background
Microsoft Silverlight was a browser plugin for running rich internet applications, primarily on Windows and macOS. While Silverlight has been deprecated and its end-of-support date passed in October 2021, many legacy enterprise environments still have it installed or embedded in line-of-business applications, making historical vulnerabilities relevant for incident-response and asset-inventory reviews.
Root Cause
The vulnerability stems from improper handling of negative offsets during a decoding operation inside the Silverlight runtime. When a malformed stream or object contains a negative offset value, the decoder does not reject or sanitize the input adequately. Instead, the negative offset is applied to a memory calculation, resulting in object-header corruption. This condition is typically associated with memory-safety defects, though no specific CWE identifier is cataloged in the NVD record for this entry.
Impact
The CVSS v2 base score for this flaw is 9.3 (vector AV:N/AC:M/Au:N/C:C/I:C/A:C), indicating that an unauthenticated network attacker can achieve complete loss of confidentiality, integrity, and availability with medium attack complexity. The CVSS v3.1 score is 8.8 (vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), which reflects network attack vector, low complexity, no required privileges, required user interaction, unchanged scope, and high impact across all three security dimensions. Successful exploitation yields remote code execution or denial of service.
Exploitation Walkthrough
From a defender's perspective, exploitation typically follows a drive-by-compromise pattern. An attacker embeds a malicious Silverlight application or object inside a web page. When a victim with a vulnerable Silverlight plugin visits the page, the malformed object is decoded and the negative offset is processed. The resulting object-header corruption can be shaped to redirect execution flow or crash the process. No exploit code is provided here, and any attempt to weaponize this flaw should be conducted only in isolated, authorized research environments with strict ethical oversight. The primary value for defenders is understanding that a single user interaction with a compromised or malicious website is sufficient to trigger the vulnerability.
Affected and Patched Versions
Affected: Microsoft Silverlight 5 versions prior to 5.1.41212.0.
Patched: Microsoft Silverlight 5.1.41212.0 and later.
Because Silverlight itself has reached end-of-life, the most robust remediation is to remove the software entirely rather than relying solely on legacy patches.
Remediation
- Upgrade: If Silverlight must remain installed for operational reasons, apply Microsoft Security Bulletin MS16-006 to reach version 5.1.41212.0 or later.
- Remove: Uninstall Silverlight from all endpoints where it is not strictly required. As a deprecated product, it no longer receives security updates and carries ongoing risk.
- Browser controls: Disable or block the Silverlight plugin in all browsers via Group Policy or enterprise browser-management tools.
- Network controls: Restrict outbound web access from systems that still require Silverlight, and enforce URL filtering to reduce exposure to untrusted sites.
- Application whitelisting: Prevent execution of Silverlight binaries and XAP packages on endpoints where they are not business-critical.
Detection
- Asset inventory: Scan endpoints for the presence of
sllauncher.exeor Silverlight ActiveX controls to identify legacy installations. - Network monitoring: Look for HTTP requests fetching
.xapor.xamlfiles from unexpected or untrusted domains, especially on subnets with known Silverlight dependencies. - Endpoint detection: Monitor for abnormal child-process spawning from browser processes where Silverlight is enabled, and for unexpected memory-access patterns in the Silverlight runtime.
- Vulnerability scanning: Verify that vulnerability-management tools flag Silverlight versions below 5.1.41212.0 and track remediation progress.
Assessment
This vulnerability carries an EPSS probability of 0.69709 (approximately 69.7% likelihood of exploitation within 30 days), placing it in the 99.3rd percentile relative to all scored CVEs. It is also listed in CISA's Known Exploited Vulnerabilities catalog with an exploitation start date of 2022-05-25, and it is flagged as exploited by the European Union vulnerability database. The combination of high CVSS scores, confirmed real-world exploitation, and a widely installed legacy product makes this a high-priority cleanup item even years after initial disclosure.
Lessons: First, legacy software that has reached end-of-life should be aggressively inventoried and removed, because patches stop but exploitation continues. Second, a single malformed offset in a decoding routine can escalate into a full remote-compromise scenario, reinforcing the value of strict input validation and memory-safe programming practices.
References
Frequently asked questions
- What is CVE-2016-0034?
- Microsoft Silverlight 5 before 5.1.41212.0 mishandles negative offsets during decoding, which allows remote attackers to execute arbitrary code or cause a denial of service (object-header corruption) via a crafted web site, aka "Silverlight Runtime Remote Code Execution Vulnerability."
- How severe is CVE-2016-0034?
- CVE-2016-0034 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2016-0034 being actively exploited?
- Yes. CVE-2016-0034 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-05-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2016-0034?
- CVE-2016-0034 affects Microsoft Silverlight. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2016-0034?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2016-0034 have an EU (EUVD) identifier?
- Yes. CVE-2016-0034 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2016-0072. It is also flagged as exploited in the EUVD (since 2022-05-25).
- When was CVE-2016-0034 published?
- CVE-2016-0034 was published on 2016-01-13 and last updated on 2026-06-17.
References
- http://www.securitytracker.com/id/1034655
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-006
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0034
Affected products (1)
- cpe:2.3:a:microsoft:silverlight:*:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Silverlight
- CVE-2015-6166 — Critical (CVSS 9.3): Microsoft Silverlight 5 before 5.1.41105.00 allows remote attackers to execute arbitrary code or cause a denial of…
- CVE-2015-6108 — Critical (CVSS 9.3): The Windows font library in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8;…
- CVE-2015-2464 — Critical (CVSS 9.3): Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server…
- CVE-2015-2463 — Critical (CVSS 9.3): Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server…
- CVE-2015-2456 — Critical (CVSS 9.3): Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server…
- CVE-2015-2455 — Critical (CVSS 9.3): Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server…