CVE-2016-8622

The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.

• CWE-122
• CWE-190
• CWE-787

• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
• http://www.securityfocus.com/bid/94105Third Party Advisory, VDB Entry
• http://www.securitytracker.com/id/1037192Third Party Advisory, VDB Entry
• https://access.redhat.com/errata/RHSA-2018:2486Third Party Advisory
• https://access.redhat.com/errata/RHSA-2018:3558
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622Issue Tracking, Patch, Third Party Advisory
• https://curl.haxx.se/docs/adv_20161102H.htmlPatch, Vendor Advisory
• https://security.gentoo.org/glsa/201701-47Third Party Advisory
• https://www.tenable.com/security/tns-2016-21Third Party Advisory
• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
• http://www.securityfocus.com/bid/94105Third Party Advisory, VDB Entry
• http://www.securitytracker.com/id/1037192Third Party Advisory, VDB Entry
• https://access.redhat.com/errata/RHSA-2018:2486Third Party Advisory
• https://access.redhat.com/errata/RHSA-2018:3558
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622Issue Tracking, Patch, Third Party Advisory
• https://curl.haxx.se/docs/adv_20161102H.htmlPatch, Vendor Advisory
• https://security.gentoo.org/glsa/201701-47Third Party Advisory
• https://www.tenable.com/security/tns-2016-21Third Party Advisory

Published

Jul 31, 2018

Last Modified

Jun 17, 2026

Status

Modified