URL Percent-Encoding Decode Function Vulnerability in libcurl
CVE-2016-8622
3.7LOW
What is CVE-2016-8622?
The URL percent-encoding decode function in libcurl is susceptible to a vulnerability due to improper handling of buffer sizes. Specifically, the curl_easy_unescape
function can allocate a destination buffer larger than 2GB. However, it returns the new length as a signed 32-bit integer, potentially leading to truncation or negative values. This mismanagement can cause libcurl to write beyond its intended heap buffer, resulting in significant security risks and exploitation opportunities.
Affected Version(s)
curl 7.51.0