CVE-2016-8622
Description
libcurl's curl_easy_unescape function has an integer truncation flaw when decoding percent-encoded URLs, leading to heap buffer overflow on 64-bit systems.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
libcurl's curl_easy_unescape function has an integer truncation flaw when decoding percent-encoded URLs, leading to heap buffer overflow on 64-bit systems.
Vulnerability
The URL percent-encoding decode function curl_easy_unescape in libcurl versions before 7.51.0 contains an integer truncation vulnerability. When decoding a very large URL, the function may allocate a destination buffer larger than 2GB, but the returned length is stored in a signed 32-bit integer variable. This causes the length to be truncated or become negative, leading to a heap buffer overflow when libcurl writes the decoded data [4]. Affected versions: libcurl < 7.51.0.
Exploitation
An attacker on a 64-bit system who can supply a custom, very large URL to a program using libcurl can trigger the vulnerability. No authentication is required if the program processes user-supplied URLs. The attacker must craft a URL that causes the decoded output to exceed 2GB, causing integer truncation [4]. The vulnerability is reachable via any application that uses curl_easy_unescape on attacker-controlled input.
Impact
Successful exploitation results in a heap buffer overflow, potentially allowing arbitrary code execution or denial of service. The attacker may write out-of-bounds, compromising confidentiality, integrity, and availability of the affected system [1][2][3].
Mitigation
Fixed in libcurl version 7.51.0, released on November 2, 2016 [4]. Red Hat has provided updates via RHSA-2018:3558 for httpd24-curl [1] and RHSA-2018:2486 for JBoss Core Services [2]. Tenable LCE 4.8.2 also includes the fix [3]. Users should upgrade to patched versions. No workaround is available.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12- osv-coords10 versionspkg:rpm/opensuse/curl&distro=openSUSE%20Tumbleweedpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP1pkg:rpm/suse/curl&distro=SUSE%20Studio%20Onsite%201.3pkg:rpm/suse/curl-openssl1&distro=SUSE%20Linux%20Enterprise%20Server%2011-SECURITY
< 7.51.0-1.1+ 9 more
- (no CPE)range: < 7.51.0-1.1
- (no CPE)range: < 7.37.0-31.1
- (no CPE)range: < 7.19.7-1.64.1
- (no CPE)range: < 7.37.0-31.1
- (no CPE)range: < 7.19.7-1.64.1
- (no CPE)range: < 7.37.0-31.1
- (no CPE)range: < 7.19.7-1.64.1
- (no CPE)range: < 7.37.0-31.1
- (no CPE)range: < 7.19.7-1.20.47.2
- (no CPE)range: < 7.19.7-1.64.1
- The Curl Project/curlv5Range: 7.51.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- access.redhat.com/errata/RHSA-2018:2486mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2018:3558mitrevendor-advisoryx_refsource_REDHAT
- security.gentoo.org/glsa/201701-47mitrevendor-advisoryx_refsource_GENTOO
- www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlmitrex_refsource_CONFIRM
- www.securityfocus.com/bid/94105mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1037192mitrevdb-entryx_refsource_SECTRACK
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_CONFIRM
- curl.haxx.se/docs/adv_20161102H.htmlmitrex_refsource_CONFIRM
- www.tenable.com/security/tns-2016-21mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.