CVE-2016-9844 in UnZIP
Summary
by MITRE
Buffer overflow in the zi_short function in zipinfo.c in Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service (crash) via a large compression method value in the central directory file header.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/13/2026
The vulnerability identified as CVE-2016-9844 represents a critical buffer overflow condition within the Info-Zip UnZip 6.0 utility, specifically within the zi_short function located in the zipinfo.c source file. This flaw manifests when the decompression utility processes archive files containing malformed central directory file headers with excessively large compression method values. The issue stems from inadequate input validation and bounds checking mechanisms that fail to properly handle oversized numerical values within the compression method field, creating a scenario where memory allocation does not correspond to the actual data size being processed.
The technical execution of this vulnerability occurs during the parsing of zip archive metadata, where the zi_short function attempts to process compression method values without sufficient validation of their range or legitimacy. When an attacker crafts a malicious zip file containing a central directory entry with an abnormally large compression method value, the function's buffer allocation becomes insufficient to accommodate the expected data, leading to memory corruption. This memory corruption manifests as a segmentation fault or access violation that causes the UnZip utility to terminate abruptly, resulting in a denial of service condition that prevents legitimate users from accessing the archive contents.
From an operational perspective, this vulnerability presents significant risks to systems that rely on automated processing of zip archives, particularly in environments where users can upload or receive files from untrusted sources. The denial of service impact extends beyond simple application crashes to potentially disrupt automated workflows, backup systems, and file processing pipelines that depend on UnZip functionality. Attackers can exploit this weakness to systematically crash systems that process zip files, creating persistent availability issues that may require manual intervention to resolve, including system restarts or manual cleanup of corrupted archive states.
The vulnerability aligns with CWE-121, which describes stack-based buffer overflow conditions, and represents a classic example of insufficient input validation in archive processing utilities. From an ATT&CK framework perspective, this weakness maps to technique T1203 - Exploitation for Client Execution, specifically targeting the execution environment through file processing utilities. The attack vector requires minimal sophistication, as it only requires crafting a malicious zip file with oversized compression method values, making it particularly dangerous for automated systems that process user-uploaded content without proper validation.
Effective mitigations for CVE-2016-9844 include immediate patching of affected UnZip installations to versions that properly validate compression method values and implement appropriate bounds checking. Organizations should also implement defensive measures such as validating file headers before processing, implementing file size limits for uploaded archives, and deploying intrusion detection systems that can identify suspicious zip file patterns. Additionally, system administrators should consider implementing sandboxed environments for archive processing and regularly audit their systems for vulnerable UnZip installations. The recommended remediation strategy involves comprehensive testing of patched versions to ensure that legitimate archive processing continues to function correctly while eliminating the buffer overflow conditions that enable the denial of service attack.