CVE-2016-3646

high

Published 2016-06-30 · Modified 2026-05-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

8.4

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.4

Description

The AntiVirus Decomposer engine in Symantec Advanced Threat Protection (ATP); Symantec Data Center Security:Server (SDCS:S) 6.x through 6.6 MP1; Symantec Web Gateway; Symantec Endpoint Protection (SEP) before 12.1 RU6 MP5; Symantec Endpoint Protection (SEP) for Mac; Symantec Endpoint Protection (SEP) for Linux before 12.1 RU6 MP5; Symantec Protection Engine (SPE) before 7.0.5 HF01, 7.5.x before 7.5.3 HF03, 7.5.4 before HF01, and 7.8.0 before HF01; Symantec Protection for SharePoint Servers (SPSS) 6.0.3 through 6.0.5 before 6.0.5 HF 1.5 and 6.0.6 before HF 1.6; Symantec Mail Security for Microsoft Exchange (SMSMSE) before 7.0_3966002 HF1.1 and 7.5.x before 7.5_3966008 VHF1.2; Symantec Mail Security for Domino (SMSDOM) before 8.0.9 HF1.1 and 8.1.x before 8.1.3 HF1.2; CSAPI before 10.0.4 HF01; Symantec Message Gateway (SMG) before 10.6.1-4; Symantec Message Gateway for Service Providers (SMG-SP) 10.5 before patch 254 and 10.6 before patch 253; Norton AntiVirus, Norton Security, Norton Internet Security, and Norton 360 before NGC 22.7; Norton Security for Mac before 13.0.2; Norton Power Eraser (NPE) before 5.1; and Norton Bootable Removal Tool (NBRT) before 2016.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory access violation) via a crafted ZIP archive that is mishandled during decompression.

Predictions

Exploit likelihood

80%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Application impact

Vendor	Product	Versions
symantec	norton_security	`{"endIncluding":"13.0.1"}`
symantec	protection_engine	`{"startIncluding":"7.0.0","endIncluding":"7.0.5"}`
symantec	protection_engine	`7.8.0`
symantec	advanced_threat_protection	`{"endIncluding":"2.0.3"}`
symantec	norton_bootable_removal_tool	`{"endIncluding":"2016.0"}`
symantec	data_center_security_server	`6.0`
symantec	data_center_security_server	`6.5`
symantec	data_center_security_server	`6.6`
symantec	protection_for_sharepoint_servers	`{"startIncluding":"6.0","endIncluding":"6.0.6"}`
symantec	message_gateway_for_service_providers	`10.5`
symantec	message_gateway_for_service_providers	`10.6`
symantec	csapi	`{"endIncluding":"10.0.4"}`
symantec	endpoint_protection	`12.1.6`
symantec	norton_power_eraser	`{"endIncluding":"5.0"}`
symantec	mail_security_for_domino	`{"startIncluding":"8.0","endIncluding":"8.0.9"}`
symantec	mail_security_for_microsoft_exchange	`{"startIncluding":"7.0","endIncluding":"7.0.4"}`
symantec	mail_security_for_microsoft_exchange	`6.5.8`
symantec	message_gateway	`{"endIncluding":"10.6.1-3"}`
symantec	norton_360
symantec	norton_antivirus
symantec	norton_internet_security
symantec	norton_security_with_backup
symantec	ngc	`{"endIncluding":"22.6"}`

References

CWEs

CWE-20

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.