CVE-2016-10141 in MuJS
Summary
by MITRE
An integer overflow vulnerability was observed in the regemit function in regexp.c in Artifex Software, Inc. MuJS before fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045. The attack requires a regular expression with nested repetition. A successful exploitation of this issue can lead to code execution or a denial of service (buffer overflow) condition.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/13/2026
The integer overflow vulnerability identified as CVE-2016-10141 resides within the MuJS JavaScript interpreter developed by Artifex Software, Inc., specifically within the regemit function located in regexp.c. This flaw represents a critical security weakness that can be exploited through carefully crafted regular expressions containing nested repetition patterns. The vulnerability manifests when the interpreter processes regular expressions that create excessively large integer values during the compilation phase, leading to unpredictable behavior and potential system compromise.
The technical implementation of this vulnerability stems from improper handling of integer arithmetic within the regular expression compilation process. When nested repetition patterns are processed, the regemit function fails to adequately validate or constrain integer values that may exceed the maximum representable value for the target platform's integer type. This condition creates an integer overflow that can result in memory corruption, particularly affecting buffer boundaries and memory allocation calculations. The vulnerability is classified under CWE-190 as an integer overflow or wraparound, which directly enables attackers to manipulate memory layout and potentially execute arbitrary code through controlled buffer overflows.
The operational impact of this vulnerability extends beyond simple denial of service scenarios to encompass full code execution capabilities. An attacker who successfully exploits this integer overflow can manipulate the interpreter's memory management functions, potentially leading to arbitrary code execution with the privileges of the affected application. The attack vector requires the victim to process a malicious regular expression, making this vulnerability particularly dangerous in environments where user-supplied input is processed through the JavaScript interpreter. This makes it especially relevant in web applications, server-side scripting environments, and any system where untrusted regular expressions may be evaluated.
Mitigation strategies for CVE-2016-10141 should prioritize immediate patching of affected MuJS versions, with particular attention to updating to the commit fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045 or later. Organizations should implement input validation and sanitization measures to prevent untrusted regular expressions from being processed by the interpreter, particularly in web applications where user input may be used in regular expression operations. Additionally, deploying runtime protections such as address space layout randomization and stack canaries can help mitigate exploitation attempts. The vulnerability aligns with ATT&CK technique T1059.007 for scripting and T1203 for exploitation for privilege escalation, making comprehensive endpoint protection and network monitoring essential components of the overall defense strategy.