CVE-2016-9586 — Heap-based Buffer Overflow in Curl

CWE-122 — Heap-based Buffer Overflow CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer17 documents11 sources

Severity

8.1HIGHNVD

EPSS

0.9%

top 24.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Redhat Curl

Timeline

PublishedApr 23

Latest updateDec 29

Description

curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages4 packages

▶NVDhaxx/curl< 7.52.0

▶Debianhaxx/curl< 7.52.1-1+3

▶Ubuntuhaxx/curl< 7.35.0-1ubuntu2.11+1

▶CVEListV5redhat/curlcurl 7.52.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-9xx8-h3pj-h4h9: curl before version 7↗2022-05-13

▶

CVEList

CVE-2016-9586: curl before version 7↗2018-04-23

▶

OSV

CVE-2016-9586: curl before version 7↗2018-04-23

▶

OSV

curl vulnerabilities↗2017-10-10

▶

📋Vendor Advisories

CISA ICS

Hitachi Energy MSM Product↗2022-08-30

▶

Ubuntu

curl vulnerabilities↗2017-10-23

▶

Ubuntu

curl vulnerabilities↗2017-10-10

▶

Apple

CVE-2016-9586: macOS Sierra 10.12.6, Security Update 2017-003 El Capitan, and Security Update 2017-003 Yosemite↗2017-07-19

▶

Apple

CVE-2016-9586: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite↗2017-03-27

▶

📄Research Papers

arXiv

One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware↗2022-12-29

▶

💬Community

Bugzilla

CVE-2016-9586 curl: printf floating point buffer overflow↗2016-12-21

▶

Bugzilla

CVE-2016-9586 curl: printf floating point buffer overflow [fedora-all]↗2016-12-21

▶

Bugzilla

CVE-2016-9586 mingw-curl: curl: printf floating point buffer overflow [epel-7]↗2016-12-21

▶

Bugzilla

CVE-2016-9586 mingw-curl: curl: printf floating point buffer overflow [fedora-all]↗2016-12-21

▶