CVE-2016-8619 — Use After Free in Curl

CWE-416 — Use After Free CWE-415 — Double Free13 documents9 sources

Severity

9.8CRITICALNVD

CNA5.3

EPSS

2.9%

top 13.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl THE Curl Project Curl

Timeline

PublishedAug 1

Latest updateMay 13

Description

The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDhaxx/curl< 7.51.0

▶Debianhaxx/curl< 7.51.0-1+3

▶CVEListV5the_curl_project/curl7.51.0

Patches

Patch: www.oracle.com ↗Patch: bugzilla.redhat.com ↗Patch: curl.haxx.se ↗

🔴Vulnerability Details

GHSA

GHSA-86mc-c53c-6qpj: The function `read_data()` in security↗2022-05-13

▶

CVEList

CVE-2016-8619: The function `read_data()` in security↗2018-08-01

▶

OSV

CVE-2016-8619: The function `read_data()` in security↗2018-08-01

▶

📋Vendor Advisories

Apple

CVE-2016-8619: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite↗2016-12-13

▶

Ubuntu

curl vulnerabilities↗2016-11-03

▶

Red Hat

curl: Double-free in krb5 code↗2016-11-02

▶

Debian

CVE-2016-8619: curl - The function `read_data()` in security.c in curl before version 7.51.0 is vulner...↗2016

▶

💬Community

Bugzilla

CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [epel-7]↗2016-11-02

▶

Bugzilla

▶

Bugzilla

CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 curl: various flaws [fedora-all]↗2016-11-02

▶

Bugzilla

CVE-2016-8619 curl: Double-free in krb5 code↗2016-10-25

▶