Cyber Resilience

CVE-2016-0034

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 13 January 2016

Published
13 January 2016
Modified
22 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.5487 98.1th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-0034 is a high-severity an unspecified weakness vulnerability in Microsoft Silverlight. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

Microsoft Silverlight 5 before version 5.1.41212.0 contains a remote code execution vulnerability stemming from improper handling of negative offsets during decoding operations. The flaw resides in the Silverlight runtime component and can result in object-header corruption when processing specially crafted content.

Remote attackers can exploit the issue by serving a malicious website that triggers the decoding flaw when visited by a user with an affected Silverlight installation. Successful exploitation grants arbitrary code execution in the context of the current user or alternatively produces a denial-of-service condition, corresponding to the CVSS 8.8 rating that reflects network attack vector, low complexity, and no required privileges beyond user interaction.

Microsoft security bulletin MS16-006 addresses the vulnerability through an updated Silverlight runtime (5.1.41212.0 and later) and is referenced in multiple tracking databases including SecurityTracker. The flaw appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation activity that underscores the importance of applying the vendor patch promptly.

EU & UK References

Vulnerability details

Microsoft Silverlight 5 before 5.1.41212.0 mishandles negative offsets during decoding, which allows remote attackers to execute arbitrary code or cause a denial of service (object-header corruption) via a crafted web site, aka "Silverlight Runtime Remote Code Execution Vulnerability."

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
silverlight
5.0 — 5.1.41212.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch (Silverlight 5.1.41212.0) that eliminates the negative-offset decoding flaw.

prevent

Restricts or disables execution of Silverlight mobile code delivered by untrusted web sites, blocking the attack vector before the decoder is invoked.

preventdetect

Malicious-code protection mechanisms can block or alert on the crafted Silverlight content that triggers the RCE/DoS condition.

References