Cyber Resilience

CVE-2016-3298

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 14 October 2016

Published
14 October 2016
Modified
22 April 2026
KEV Added
24 May 2022
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.2830 96.6th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2016-3298 is a medium-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-4 (Information Flow Enforcement).

Deeper analysis

Microsoft Internet Explorer 9 through 11 and the Internet Messaging API in Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 contain an information disclosure vulnerability that permits remote attackers to determine the existence of arbitrary files on a target system through a specially crafted web site. The flaw is tracked as CVE-2016-3298 with a CVSS score of 6.5, reflecting network attack vector, low complexity, and no required privileges beyond user interaction.

A remote attacker can host or compromise a web site that triggers the vulnerability when visited by a user running the affected software, resulting in disclosure of whether specific files are present without affecting confidentiality beyond existence checks or enabling further integrity or availability impacts.

Microsoft addressed the issue through security updates published in bulletins MS16-118 and MS16-126, which practitioners should apply to the listed Windows and Internet Explorer versions to prevent exploitation.

EU & UK References

Vulnerability details

Microsoft Internet Explorer 9 through 11 and the Internet Messaging API in Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow remote attackers to determine the existence of arbitrary files via a crafted web…

more

site, aka "Internet Explorer Information Disclosure Vulnerability."

CWE(s)
KEV Date Added
24 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11, 9
microsoft
windows 7
all versions
microsoft
windows server 2008
all versions, r2
microsoft
windows vista
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor security updates (MS16-118/MS16-126) that eliminate the IE/WinINet file-existence disclosure flaw.

detect

Explicitly calls for monitoring that can identify attempts to abuse the browser to disclose the presence of arbitrary local files.

prevent

Enforces information-flow rules that can block or sanitize the unauthorized leakage of file-existence metadata from the browser process to a remote site.

References