CVE-2016-5421 — Use After Free in Libcurl

CWE-416 — Use After Free14 documents10 sources

Severity

8.1HIGHNVD

OSV7.5

EPSS

1.3%

top 20.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Haxx Libcurl Canonical Ubuntu Linux +4 more

Timeline

PublishedAug 10

Latest updateMay 13

Description

Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages5 packages

▶NVDhaxx/libcurl7.50.0

▶Debianhaxx/curl< 7.50.1-1+3

▶Ubuntuhaxx/curl< 7.35.0-1ubuntu2.8+1

▶NVDopensuse/leap42.1

▶NVDopensuse/opensuse13.2

Also affects: Debian Linux 8.0, Fedora 23, 24, Ubuntu Linux 12.04, 14.04, 16.04

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-89f8-gvcm-9g9g: Use-after-free vulnerability in libcurl before 7↗2022-05-13

▶

CVEList

CVE-2016-5421: Use-after-free vulnerability in libcurl before 7↗2016-08-10

▶

OSV

CVE-2016-5421: Use-after-free vulnerability in libcurl before 7↗2016-08-10

▶

OSV

curl vulnerabilities↗2016-08-08

▶

📋Vendor Advisories

Apple

CVE-2016-5421: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite↗2016-12-13

▶

Android

CVE-2016-5421: Android Security Bulletin 2016-12-01 CVE: CVE-2016-5421 Severity: HIGH Affected AOSP versions: 7↗2016-12-01

▶

Ubuntu

curl vulnerabilities↗2016-08-08

▶

Red Hat

curl: Use of connection struct after free↗2016-08-03

▶

Debian

CVE-2016-5421: curl - Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to contro...↗2016

▶

💬Community

Bugzilla

CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 mingw-curl: various flaws [epel-7]↗2016-08-03

▶

Bugzilla

CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 curl: various flaws [fedora-all]↗2016-08-03

▶

Bugzilla

CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 mingw-curl: various flaws [fedora-all]↗2016-08-03

▶

Bugzilla

CVE-2016-5421 curl: Use of connection struct after free↗2016-08-01

▶