CVE-2007-0157
Description
Array index error in the uri_lookup function in the URI parser for neon 0.26.0 to 0.26.2, possibly only on 64-bit platforms, allows remote malicious servers to cause a denial of service (crash) via a URI with non-ASCII characters, which triggers a buffer under-read due to a type conversion error that generates a negative index.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Array index error in neon URI parser on 64-bit platforms causes denial of service via malicious URI with non-ASCII characters.
Vulnerability
Array index error in the uri_lookup function of the URI parser in neon versions 0.26.0 to 0.26.2, possibly only on 64-bit platforms, allows remote malicious servers to cause a denial of service (crash). The vulnerability arises from a type conversion error that generates a negative index when processing a URI with non-ASCII characters, leading to a buffer under-read [1][2][3].
Exploitation
An attacker can remotely trigger this vulnerability by sending a specially crafted URI containing non-ASCII characters to a service using the vulnerable neon library. No authentication or special privileges are required; the attacker only needs network access to deliver the malicious URI.
Impact
Successful exploitation results in a denial of service due to a crash of the application using the vulnerable neon library. There is no indication of information disclosure or remote code execution; the impact is limited to availability.
Mitigation
The available references do not disclose a specific fixed version. Users should check for updates to neon beyond 0.26.2. If no patch is available, consider filtering or sanitizing URIs to remove non-ASCII characters as a workaround.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
14- bugs.debian.org/cgi-bin/bugreport.cgi/neon26_0.26.2-3_to_mdx1.diffnvd
- bugs.debian.org/cgi-bin/bugreport.cginvd
- mailman.webdav.org/pipermail/cadaver/2007-January/001015.htmlnvd
- mailman.webdav.org/pipermail/neon/2007-January/002362.htmlnvd
- osvdb.org/39247nvd
- secunia.com/advisories/23751nvd
- secunia.com/advisories/23763nvd
- secunia.com/advisories/23984nvd
- www.mandriva.com/security/advisoriesnvd
- www.novell.com/linux/security/advisories/2007_02_sr.htmlnvd
- www.securityfocus.com/bid/22035nvd
- www.vupen.com/english/advisories/2007/0172nvd
- www.vupen.com/english/advisories/2007/0362nvd
- www.webdav.org/cadaver/nvd
News mentions
0No linked articles in our index yet.